Protect your WebApp from CSRF-attacks
Sitevision 9.1 introduces the option to protect your apps from CSRF-attacks.
CSRF-protect your WebApp
Since Sitevision 9.1 you have the option to protect your WebApp from CSRF-attacks. This requires you to take some action to protect your WebApp. First you have to add a property to your manifest.json.
When that property is added Sitevision will validate mutating requests(PUT, POST or DELETE) to your WebApp. If validation fails the request will fail and the response will be a 403. In order to pass the validation a you will have to pass a token with your request. This can be done in two ways, either as a request parameter or as a request header. This is how it would look if you used the request parameter method:
<form method="POST" action="/appresource/4.xxx/12.xxx/endpoint"> <input type="hidden" name="sv.csrfToken" value="<token>" /> <input type="text" name="message" value=""/> <button> Submit </button> </form>
If you are doing XHR-requests you have the option to pass the token as a header. The header name is
X-CSRF-Token and the token should be passed as a value.
All these things can be required through a new API, Security that can be required from anywhere in your WebApp.
Do you want to subscribe to News from Sitevision Developer team? Subscribe here!