Configuring CSRF Guard in Integration Server
Keep the following points in mind when you configure CSRF guard in Integration Server:
When you enable or disable CSRF guard in
Integration Server, you must refresh the web browser for the changes to take effect.
Integration Server does not provide protection from CSRF attacks in the following situations:
Requests from users with execute access to invoke services that have the Anonymous ACL assigned to them.
Requests from
Integration Server Administrator or a client application after an
Integration Server session has timed out. In such cases,
Integration Server will redirect the user or issue an error. You must refresh the web browser to continue.
Requests from user agents that are different from the user agent that was used when creating the session.
To configure CSRF guard in
Integration Server1. Open Integration Server Administrator.
2. In the Navigation panel, select Security > CSRF Guard > Edit CSRF Guard Settings.
3. Select the Enabled check box to enable CSRF guard in Integration Server.
4. In the Excluded User Agents text area, enter the user agents for which CSRF guard is not to be enforced.
The user agent value is the string that corresponds to the User-Agent HTTP header in the HTTP request.
You can specify the user agents as regular expressions. The asterisk (*) is the only wildcard character allowed in the regular expression. To separate the entries, enter one user agent per line. Press ENTER to separate the lines.
5. In the Landing Pages text area, enter the list of landing pages for the packages in your Integration Server. Integration Server will not check for CSRF secure tokens in the landing pages, but the server will insert a token for that page. Integration Server guards all further requests from these landing pages with CSRF secure tokens.
You cannot specify landing pages as regular expressions. To separate the entries, enter one landing page per line. Press ENTER to separate the lines.
6. In the Unprotected URLs text area, enter the URLs for which Integration Server does not have to check for CSRF secure tokens.
You can specify unprotected URLs as regular expressions. The asterisk (*) is the only wildcard character allowed in the regular expression. To separate the entries, enter one URL per line. Press ENTER to separate the lines.
Note:
Do not specify landing pages in the Unprotected URLs text area. If you specify landing page URLs in both Landing Pages and Unprotected URLs text areas, the landing page option will take precedence and Integration Server will not check for CSRF secure tokens in those pages.
7. From the Denial Action options, select the action that you want Integration Server to perform when it detects that a request does not contain a CSRF secure token or contains an invalid CSRF secure token.
Select... | To... |
Error | Issue an “access denied” error and terminate the request. This is the default. If you select Error, Integration Server issues the following error when it detects that a request does not contain a CSRF secure token or contains an invalid CSRF secure token: Access Denied. Invalid CSRF secure token. This error message suggests that Integration Server has detected a CSRF attack. Integration Server also issues this error message for the following situations: Integration Server session has expired. The web browser is not refreshed after enabling CSRF guard. Another user who is connected to the same Integration Server restarted Integration Server. In these cases, refresh the web browser to continue. |
Redirect | Redirect the user as follows: If the CSRF threat is detected when a user accesses a DSP page in the Integration Server Administrator, redirect the user to the home page of Integration Server Administrator. If the CSRF threat is detected in a URL or client request that includes an invoke, a rest, or a restv2 directive, redirect the user to a webpage that displays a warning that Integration Server has detected a CSRF attack. The user must click Continue to execute the service. Note:Integration Server redirects the user to this page only if the client application accepts text/html as the content type. If the client application does not accept text/html, Integration Server returns an access denied error. |
8. Click Save Changes and refresh the web browser for the changes to take effect.