| Line 1: | Line 1: | ||
=CSRF protection= | =CSRF protection= | ||
| − | + | __NOTOC__ | |
Web Services provides protection against Cross Site Request Forgery (CSRF) attacks. For general information and background on CSRF see the {{#Widget:ExtLink|link=https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet|displaytext=OWASP CSRF Prevention Cheat Sheet}}. | Web Services provides protection against Cross Site Request Forgery (CSRF) attacks. For general information and background on CSRF see the {{#Widget:ExtLink|link=https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet|displaytext=OWASP CSRF Prevention Cheat Sheet}}. | ||
To set up Cross Site Request Forgery protection, set the following options in the *server-settings.yaml* file on each of your Web Services nodes: | To set up Cross Site Request Forgery protection, set the following options in the *server-settings.yaml* file on each of your Web Services nodes: | ||
*[[HTCCConfigurationOptionsReference#enableCsrfProtection|enableCsrfProtection]] — determines whether CSRF protection is enabled on the Web Services node. | *[[HTCCConfigurationOptionsReference#enableCsrfProtection|enableCsrfProtection]] — determines whether CSRF protection is enabled on the Web Services node. | ||
| − | *[[HTCCConfigurationOptionsReference#crossOriginSettings|crossOriginSettings]] — make sure this option | + | *[[HTCCConfigurationOptionsReference#crossOriginSettings|crossOriginSettings]] — make sure this option has the *exposedHeaders* setting with a value that includes <tt>X-CSRF-HEADER,X-CSRF-TOKEN</tt>. |
For example, your configuration might look like this: | For example, your configuration might look like this: | ||
<source lang="text"> | <source lang="text"> | ||
| − | |||
crossOriginSettings: | crossOriginSettings: | ||
corsFilterCacheTimeToLive: 120 | corsFilterCacheTimeToLive: 120 | ||
| Line 20: | Line 19: | ||
</source> | </source> | ||
| − | For more information about CSRF protection in the Web Services API, see [[Documentation:HTCC:API:CSRFProtection|Cross Site Request Forgery Protection]] | + | For more information about CSRF protection in the Web Services API, see [[Documentation:HTCC:API:CSRFProtection|Cross Site Request Forgery Protection]]. |
==Next step== | ==Next step== | ||
Revision as of 13:11, February 1, 2016
CSRF protection
Web Services provides protection against Cross Site Request Forgery (CSRF) attacks. For general information and background on CSRF see the OWASP CSRF Prevention Cheat Sheet.
To set up Cross Site Request Forgery protection, set the following options in the *server-settings.yaml* file on each of your Web Services nodes:
- enableCsrfProtection — determines whether CSRF protection is enabled on the Web Services node.
- crossOriginSettings — make sure this option has the *exposedHeaders* setting with a value that includes X-CSRF-HEADER,X-CSRF-TOKEN.
For example, your configuration might look like this:
crossOriginSettings:
corsFilterCacheTimeToLive: 120
allowedOrigins: http://*.genesys.com, http://*.genesyslab.com
allowedMethods: GET,POST,PUT,DELETE,OPTIONS
allowedHeaders: "X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId"
allowCredentials: true
exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"For more information about CSRF protection in the Web Services API, see Cross Site Request Forgery Protection.
Next step
Comments or questions about this documentation? Contact us for support!