Protect your WebApp against CSRF-attacks
Sitevision 9.1 introduces a way to protect your apps against CSRF-attacks.
CSRF-protect your WebApp
Since Sitevision 9.1 you have the option add protection against CSRF-attacks to your WebApp. To enable CSRF protection you need to take a few steps. The first thing you need to do is to add a property to your manifest.json
"csrfProtection": true,
With that property is added, Sitevision will validate all mutating requests(PUT, POST or DELETE) sent to your WebApp. If validation fails, the request will fail and send the 403 http status code. In order to pass validation the request must contain a csrf-token. There are two ways to send this token, It can be sent as request parameter or it can be sent as a request header.
Example using the request parameter method:
<form method="POST" action="/appresource/4.xxx/12.xxx/endpoint">
<input type="hidden" name="sv.csrfToken" value="<token>" />
<input type="text" name="message" value=""/>
<button>
Submit
</button>
</form>
If a XHR-requests is used to send the dat, it is possible to pass the token as a http header. The header name is X-CSRF-Token
and the token should be passed as a value.
All these things can be required through a new API, Security that can be required from anywhere in your WebApp.