| Line 35: | Line 35: | ||
As you can see from the example provided, <tt>X-CSRF-TOKEN</tt> has been added to the default allowed headers. | As you can see from the example provided, <tt>X-CSRF-TOKEN</tt> has been added to the default allowed headers. | ||
| − | Link to [[Documentation:HTCC:API: | + | Link to [[Documentation:HTCC:API:CSRFProtection:8.5.2DRAFT|API documentation and examples]] |
[[Category:V:HTCC:8.5.2DRAFT]] | [[Category:V:HTCC:8.5.2DRAFT]] | ||
Revision as of 17:47, August 12, 2014
Cross Site Request Forgery Protection
Overview
Genesys Web Services provides protections against Cross Site Request Forgery (CSRF) attacks.
For general information and background on CSRF see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet.
Setup
To set up Cross Site Request Forgery Protection, two new configuration options were introduced to the server-settings.yaml file.
| Option | Description |
|---|---|
| enableCsrfProtection | (true/false) Determines whether CSRF protections should be enabled for the GWS node. |
| exposedHeaders | A comma separated list of headers to include in Access-Control-Expose-Headers. |
Example
enableCsrfProtection: true
crossOriginSettings:
corsFilterCacheTimeToLive: 120
allowedOrigins: https://*.salesforce.com, https://*.force.com, http://127.0.0.1:9090
allowedMethods: GET,POST,PUT,DELETE,OPTIONS
allowedHeaders: "X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId,X-CSRF-TOKEN"
allowCredentials: true
exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"
As you can see from the example provided, X-CSRF-TOKEN has been added to the default allowed headers.
Link to API documentation and examples
Comments or questions about this documentation? Contact us for support!