Web Sessions 4.3.10 | Terracotta REST Developer Guide | Constructing URIs for HTTP Operations | Security for REST API usage without TMC
 
Security for REST API usage without TMC
When issuing HTTP requests that are not through the Terracotta Management Console, every request must include two security headers, OWASP_CSRFTOKEN and X-Requested-With.
The value of OWASP_CSRFTOKEN is dynamic, and is found in the header of each response from the TMS.
The value of X-Requested-With is static, and is always equal to OWASP CSRFGuard Project.
When doing a POST, DELETE, or PUT request on the TMS REST API, these two HTTP headers are required, for example:
DELETE http://localhost:9889/tc-management-api/v2/agents;
  id=client01/cacheManagers;names=foo/caches;names=bar/elements
  OWASP_CSRFTOKEN: M9DI-BUMD-2PPK-C45I-T6QM-ZTBE-WKKK-YT8M
  X-Requested-With: OWASP CSRFGuard Project
In the example above, OWASP_CSRFTOKEN: M9DI-BUMD-2PPK-C45I-T6QM-ZTBE-WKKK-YT8M is from the latest response received from the TMS.
For more information about the CSRFGuard Project, refer to the Open Web Application Security Project site.