Revision as of 16:59, December 9, 2015 by Jumunn (talk | contribs)
Jump to: navigation, search

CSRF protection

Web Services provides protection against Cross Site Request Forgery (CSRF) attacks. For general information and background on CSRF see the OWASP CSRF Prevention Cheat Sheet.

Setup

To set up Cross Site Request Forgery protection, two new configuration options were introduced to the server-settings.yaml file.

Option Description
enableCsrfProtection (true/false) Determines whether CSRF protections should be enabled for the GWS node.
exposedHeaders A comma separated list of headers to include in Access-Control-Expose-Headers.

Example

enableCsrfProtection: true
crossOriginSettings:
    corsFilterCacheTimeToLive: 120
    allowedOrigins: https://*.salesforce.com, https://*.force.com, http://127.0.0.1:9090
    allowedMethods: GET,POST,PUT,DELETE,OPTIONS
    allowedHeaders: "X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId,X-CSRF-TOKEN"
    allowCredentials: true
    exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"

Link to API documentation and examples

Next step

Comments or questions about this documentation? Contact us for support!