Jump to: navigation, search
Line 3: Line 3:
 
Web Services provides protection against Cross Site Request Forgery (CSRF) attacks. For general information and background on CSRF see the {{#Widget:ExtLink|link=https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet|displaytext=OWASP CSRF Prevention Cheat Sheet}}.
 
Web Services provides protection against Cross Site Request Forgery (CSRF) attacks. For general information and background on CSRF see the {{#Widget:ExtLink|link=https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet|displaytext=OWASP CSRF Prevention Cheat Sheet}}.
  
==Setup==
+
To set up Cross Site Request Forgery protection, set the following options in the *server-settings.yaml* file on each of your Web Services nodes:
To set up Cross Site Request Forgery protection, two new configuration options were introduced to the <tt>server-settings.yaml</tt> file.
+
*[[HTCCConfigurationOptionsReference#enableCsrfProtection|enableCsrfProtection]] &mdash; determines whether CSRF protection is enabled on the Web Services node.
 +
*[[HTCCConfigurationOptionsReference#crossOriginSettings|crossOriginSettings]] &mdash; make sure this option includes the *exposedHeaders* setting with a value that includes <tt>X-CSRF-HEADER,X-CSRF-TOKEN</tt>.
 +
 +
For example, your configuration might look like this:
  
{|
+
<source lang="text">
! Option
+
...
! Description
 
|-
 
| enableCsrfProtection
 
| (true/false) Determines whether CSRF protections should be enabled for the GWS node.
 
|-
 
| exposedHeaders
 
| A comma separated list of headers to include in Access-Control-Expose-Headers.
 
|}
 
 
 
===Example===
 
<pre>
 
enableCsrfProtection: true
 
 
crossOriginSettings:
 
crossOriginSettings:
 
     corsFilterCacheTimeToLive: 120
 
     corsFilterCacheTimeToLive: 120
     allowedOrigins: https://*.salesforce.com, https://*.force.com, http://127.0.0.1:9090
+
     allowedOrigins: http://*.genesys.com, http://*.genesyslab.com  
 
     allowedMethods: GET,POST,PUT,DELETE,OPTIONS
 
     allowedMethods: GET,POST,PUT,DELETE,OPTIONS
     allowedHeaders: "X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId,X-CSRF-TOKEN"
+
     allowedHeaders: "X-Requested-With,Content-Type,Accept,​Origin,Cookie,authorization,ssid,surl,​ContactCenterId"
 
     allowCredentials: true
 
     allowCredentials: true
 
     exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"
 
     exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"
</pre>
+
</source>
  
Link to [[Documentation:HTCC:API:CSRFProtection:8.5.2DRAFT|API documentation and examples]]
+
For more information about CSRF protection in the Web Services API, see [[Documentation:HTCC:API:CSRFProtection|Cross Site Request Forgery Protection]]
  
 
==Next step==
 
==Next step==

Revision as of 13:09, February 1, 2016

CSRF protection

Web Services provides protection against Cross Site Request Forgery (CSRF) attacks. For general information and background on CSRF see the OWASP CSRF Prevention Cheat Sheet.

To set up Cross Site Request Forgery protection, set the following options in the *server-settings.yaml* file on each of your Web Services nodes:

  • enableCsrfProtection — determines whether CSRF protection is enabled on the Web Services node.
  • crossOriginSettings — make sure this option includes the *exposedHeaders* setting with a value that includes X-CSRF-HEADER,X-CSRF-TOKEN.

For example, your configuration might look like this: 

...
crossOriginSettings:
    corsFilterCacheTimeToLive: 120
    allowedOrigins: http://*.genesys.com, http://*.genesyslab.com 
    allowedMethods: GET,POST,PUT,DELETE,OPTIONS
    allowedHeaders: "X-Requested-With,Content-Type,Accept,​Origin,Cookie,authorization,ssid,surl,​ContactCenterId"
    allowCredentials: true
    exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"

For more information about CSRF protection in the Web Services API, see Cross Site Request Forgery Protection

Next step

Comments or questions about this documentation? Contact us for support!