Running Business Processes and Composite Applications 10.4 | Running Business Processes and Composite Applications | webMethods Integration Server Administrator’s Guide | Securing Integration Server with CSRF Guard | Understanding CSRF Guard Terminology
 
Understanding CSRF Guard Terminology
Before configuring CSRF guard in Integration Server, you may find it helpful to first understand the following terminology used with reference to CSRF guard in Integration Server:
*Excluded User Agents.The user agent value is the string that corresponds to the User-Agent HTTP header in the HTTP request. Excluded user agents are user agents for which Integration Server does not enforce CSRF guard. That is, Integration Server will not check for CSRF tokens on requests from these excluded user agents.
You can specify the user agents as regular expressions. The asterisk (*) is the only wildcard character allowed in the regular expression. To separate the entries, enter one user agent per line. Press ENTER to separate the lines.
For example:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us)
AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341
Safari/528.16
*Mozilla*
*Landing Pages. The home pages of Integration Server packages are referred to as landing pages. Integration Server will not check for CSRF secure tokens in the landing pages, but the server will insert a token for that page. Integration Server guards all further requests from these landing pages with CSRF secure tokens.
You cannot specify landing pages as regular expressions. To separate the entries, enter one landing page per line. Press ENTER to separate the lines.
For example:

MyPackage/index.dsp

MyPackage/index.html
*Unprotected URLs. The URLs for which Integration Server does not have to check for CSRF secure tokens are referred to as unprotected URLs. Integration Server requires that the requests coming from all URLs that are not specified in this field must contain CSRF secure tokens.
If you specify a DSP page as an unprotected URL, Integration Server will not insert a CSRF secure token for that file. If you attempt to access a protected page from this DSP page, Integration Server issues an error or redirects you to the home page of Integration Server Administrator depending on your Denial Action configuration.
You can specify unprotected URLs as regular expressions. The asterisk (*) is the only wildcard character allowed in the regular expression. To separate the entries, enter one URL per line. Press ENTER to separate the lines.
The following table provides examples of URLs for Unprotected URLs text area.
In this example...
Integration Server does not check for CSRF secure token in...
MyPackage/abc.dsp
The abc.dsp page in the MyPackage package.
MyPackage/*
All the pages in the MyPackage package.
invoke/pub.math:addInts
A request invoking the pub.math:addInts service.
invoke/pub*
Requests invoking all services starting with “pub”.
invoke/*
Any invoke requests.
*Denial Action. The action you want Integration Server to perform when it detects that a request does not contain a CSRF secure token or contains an invalid CSRF secure token. You can configure Integration Server to:
*Redirect the user to the home page of Integration Server Administrator or to a webpage that displays a warning that Integration Server has detected a CSRF attack.
*Issue an error and terminate the request.

Copyright © 2019 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release