Protect your WebApp from CSRF-attacks

Sitevision 9.1 introduces the option to protect your apps from CSRF-attacks.

CSRF-protect your WebApp

Since Sitevision 9.1 you have the option to protect your WebApp from CSRF-attacks. This requires you to take some action to protect your WebApp. First you have to add a property to your manifest.json.

"csrfProtection": true,

When that property is added Sitevision will validate mutating requests(PUT, POST or DELETE) to your WebApp. If validation fails the request will fail and the response will be a 403. In order to pass the validation a you will have to pass a token with your request. This can be done in two ways, either as a request parameter or as a request header. This is how it would look if you used the request parameter method:

<form method="POST" action="/appresource/4.xxx/12.xxx/endpoint">
  <input type="hidden" name="sv.csrfToken" value="<token>" />
  <input type="text" name="message" value=""/>
  <button>
    Submit
  </button>
</form>

If you are doing XHR-requests you have the option to pass the token as a header. The header name is X-CSRF-Token and the token should be passed as a value.

All these things can be required through a new API, Security that can be required from anywhere in your WebApp.

Do you want to subscribe to News from Sitevision Developer team? Subscribe here!