| Line 34: | Line 34: | ||
Link to [[Documentation:HTCC:API:CSRFProtection:8.5.2DRAFT|API documentation and examples]] | Link to [[Documentation:HTCC:API:CSRFProtection:8.5.2DRAFT|API documentation and examples]] | ||
| − | ==Next | + | ==Next Step== |
*[[Security|Back to Configuring Security]] | *[[Security|Back to Configuring Security]] | ||
[[Category:V:HTCC:8.5.2DRAFT]] | [[Category:V:HTCC:8.5.2DRAFT]] | ||
Revision as of 14:03, April 1, 2015
CSRF Protection
Overview
Workspace Web Edition & Web Services provides protection against Cross Site Request Forgery (CSRF) attacks.
For general information and background on CSRF see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet.
Setup
To set up Cross Site Request Forgery Protection, two new configuration options were introduced to the server-settings.yaml file.
| Option | Description |
|---|---|
| enableCsrfProtection | (true/false) Determines whether CSRF protections should be enabled for the GWS node. |
| exposedHeaders | A comma separated list of headers to include in Access-Control-Expose-Headers. |
Example
enableCsrfProtection: true
crossOriginSettings:
corsFilterCacheTimeToLive: 120
allowedOrigins: https://*.salesforce.com, https://*.force.com, http://127.0.0.1:9090
allowedMethods: GET,POST,PUT,DELETE,OPTIONS
allowedHeaders: "X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId,X-CSRF-TOKEN"
allowCredentials: true
exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"
Link to API documentation and examples
Next Step
Comments or questions about this documentation? Contact us for support!