---
title: Protect against CSRF attacks
description: AM includes a global filter to harden protection against cross-site request forgery (CSRF) attacks. The filter applies to all REST endpoints under json/. It requires that all requests, other than GET, HEAD, or OPTIONS, include at least one of the following headers:
component: pingam
version: 8.1
page_id: pingam:security:rest-CSRF
canonical_url: https://docs.pingidentity.com/pingam/8.1/security/rest-CSRF.html
keywords: ["Security", "REST API"]
page_aliases: ["security-guide:rest-CSRF.adoc"]
---

# Protect against CSRF attacks

AM includes a global filter to harden protection against cross-site request forgery (CSRF) attacks. The filter applies to all REST endpoints under `json/`. It requires that all requests, other than GET, HEAD, or OPTIONS, include at least one of the following headers:

* `X-Requested-With`

  This header is often sent by Javascript frameworks, and the UI already sends it on all requests.

* `Accept-API-Version`

  This header specifies which version of the REST API to use. Use this header in your requests to ensure future changes to the API do not affect your clients.

  For more information about API versioning, see [REST API versions](../am-rest/rest-api-versioning.html).

Failure to include at least one of the headers causes the REST request to fail with a `403 Forbidden` error, even if the SSO token is valid.

|   |                                                                                                                                  |
| - | -------------------------------------------------------------------------------------------------------------------------------- |
|   | The CSRF filter applies *only* when the request includes the SSO token in the session cookie (`iPlanetDirectoryPro` by default). |

To disable the CSRF filter, go to Configure > Global Services > REST APIs and turn off Enable CSRF Protection.

The `json/` endpoint is not vulnerable to CSRF attacks when the filter is disabled, because it requires the `Content-Type: application/json` header, which currently triggers the same protection in browsers. This might change in the future, however, so it is advisable to enable the CSRF filter.