(→Example) |
|||
| Line 32: | Line 32: | ||
exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN" | exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN" | ||
</pre> | </pre> | ||
| − | |||
| − | |||
Link to [[Documentation:HTCC:API:CSRFProtection:8.5.2DRAFT|API documentation and examples]] | Link to [[Documentation:HTCC:API:CSRFProtection:8.5.2DRAFT|API documentation and examples]] | ||
Revision as of 16:55, August 26, 2014
Cross Site Request Forgery Protection
Overview
Genesys Web Services provides protections against Cross Site Request Forgery (CSRF) attacks.
For general information and background on CSRF see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet.
Setup
To set up Cross Site Request Forgery Protection, two new configuration options were introduced to the server-settings.yaml file.
| Option | Description |
|---|---|
| enableCsrfProtection | (true/false) Determines whether CSRF protections should be enabled for the GWS node. |
| exposedHeaders | A comma separated list of headers to include in Access-Control-Expose-Headers. |
Example
enableCsrfProtection: true
crossOriginSettings:
corsFilterCacheTimeToLive: 120
allowedOrigins: https://*.salesforce.com, https://*.force.com, http://127.0.0.1:9090
allowedMethods: GET,POST,PUT,DELETE,OPTIONS
allowedHeaders: "X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId,X-CSRF-TOKEN"
allowCredentials: true
exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"
Link to API documentation and examples
Comments or questions about this documentation? Contact us for support!