Revision as of 14:03, April 1, 2015 by Jumunn (talk | contribs)
Jump to: navigation, search

CSRF Protection

Overview

Workspace Web Edition & Web Services provides protection against Cross Site Request Forgery (CSRF) attacks.

For general information and background on CSRF see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet.

Setup

To set up Cross Site Request Forgery Protection, two new configuration options were introduced to the server-settings.yaml file.

Option Description
enableCsrfProtection (true/false) Determines whether CSRF protections should be enabled for the GWS node.
exposedHeaders A comma separated list of headers to include in Access-Control-Expose-Headers.

Example

enableCsrfProtection: true
crossOriginSettings:
    corsFilterCacheTimeToLive: 120
    allowedOrigins: https://*.salesforce.com, https://*.force.com, http://127.0.0.1:9090
    allowedMethods: GET,POST,PUT,DELETE,OPTIONS
    allowedHeaders: "X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId,X-CSRF-TOKEN"
    allowCredentials: true
    exposedHeaders: "X-CSRF-HEADER,X-CSRF-TOKEN"

Link to API documentation and examples

Next Step

Comments or questions about this documentation? Contact us for support!