Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-308

Protect Java WS against CSRF

    XMLWordPrintable

    Details

    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:

      Description

      What we want to achieve

      The goal is to prevent CSRF attacks : it occurs when a malicious web site, email, or blog causes a user’s web browser to perform an unwanted action on a trusted site on which the user is currently authenticated.

      How it will work

      To prevent CSRF, we'll use the Double Submit Cookies Method, where two cookies are generated :
      – One named XSRF-TOKEN that contains a random value,
      – One marked as HttpOnly that contains the token, including the previously generated random value in a property xsrfToken

      Then Javascript requests will read the content of the XSRF-TOKEN cookie and put it in a HTTP header X-XSRF-TOKEN. As only JavaScript that runs on the domain can read the cookie, we are assured that the XHR came from JavaScript running on the same domain.

      Resources

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              fabrice.bellingard Fabrice Bellingard
              Reporter:
              fabrice.bellingard Fabrice Bellingard
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: