Access Management 7.2.2

Protect against CSRF attacks

AM includes a global filter to harden protection against cross-site request forgery (CSRF) attacks. The filter applies to all REST endpoints under json/. It requires that all requests, other than GET, HEAD, or OPTIONS, include at least one of the following headers:

  • X-Requested-With

    This header is often sent by Javascript frameworks, and the UI already sends it on all requests.

  • Accept-API-Version

    This header specifies which version of the REST API to use. Use this header in your requests to ensure future changes to the API do not affect your clients.

    For more information about API versioning, see REST API versions.

Failure to include at least one of the headers causes the REST request to fail with a 403 Forbidden error, even if the SSO token is valid.

The CSRF filter applies only when the request includes the SSO token in the session cookie (iPlanetDirectoryPro by default).

To disable the CSRF filter, go to Configure > Global Services > REST APIs and turn off Enable CSRF Protection.

The json/ endpoint is not vulnerable to CSRF attacks when the filter is disabled, because it requires the Content-Type: application/json header, which currently triggers the same protection in browsers. This might change in the future, however, so it is advisable to enable the CSRF filter.