webMethods 10.2 | Integration Server Administrator's Guide | Securing Integration Server with CSRF Guard | How Does Integration Server Prevent CSRF Attacks?
 
How Does Integration Server Prevent CSRF Attacks?
Integration Server uses the CSRF guard feature to prevent CSRF attacks. Integration Server prevents CSRF attacks by creating one CSRF secure token per session when it receives authorization requests from Integration Server Administrator or other client applications. Integration Server adds this CSRF secure token to subsequent requests until the session expires. The CSRF token expires when the session ends.
When you send a request, Integration Server verifies the existence and validity of the token in the request and compares it to the token in the session. If there is no token in the request, or if the token in the request does not match the token in the session, Integration Server terminates the request. Integration Server also logs the event as a potential CSRF attack in the server log and the security audit log.
You use the Integration Server Administrator to enable or disable CSRF guard in Integration Server.
Integration Server inserts and verifies CSRF secure tokens for:
*HTTP requests from a web browser for dynamic server pages (DSPs)
*HTTP request for invoke, rest, or restv2 directives
*Ajax XMLHttpRequests

Copyright © 2017-2018 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release