Configuring CSRF protection
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious website causes a user's browser to perform an unwanted action on a trusted site for which the user is currently authenticated. .
Before you begin
You must be a privileged user to complete this procedure.
dspmqweb properties -a
The mqRestCsrfValidation
field
shows whether CSRF validation checks are performed. For more information, see dspmqweb.
mqRestCsrfExpirationInMinutes
field, introduced in
IBM® MQ 9.0.4 to show the CSRF expiration time, no longer
exists in IBM MQ 9.0.5.Before issuing either the setmqweb or dspmqweb commands on z/OS®, you must set the WLP_USER_DIR environment variable, so that the variable points to your mqweb server configuration.
export WLP_USER_DIR=WLP_user_directory
where
WLP_user_directory
is the name of the directory that is passed
to crtmqweb.sh
. For
example:export WLP_USER_DIR=/var/mqm/web/installation1
For more information, see Create the Liberty server definition.
About this task
Prior to IBM MQ 9.0.5 the IBM MQ Console and REST API use a synchronizer token to protect against CSRF attacks. In IBM MQ 9.0.4 only, CSRF synchronizer tokens for the administrative REST API are periodically regenerated. From IBM MQ 9.0.5, CSRF synchronizer tokens are not used. Instead, a custom HTTP header needs to be set, which provides equivalent protection to using a synchronizer token.
You can modify configuration of the CSRF protection for the REST API by using the setmqweb properties command
Procedure
- For IBM MQ 9.0.4 only, use
the setmqweb properties command to alter token expiry:
setmqweb properties -k mqRestCsrfExpirationInMinutes -v time
where time specifies the time, in minutes, before the CSRF token expires. The token remains valid for the next HTTP POST, PATCH, or DELETE method after its expiration, after which, a new token is returned as a cookie and the previous token value is invalidated. A time value of -1 disables CSRF token expiration, while a value of 0 causes the token to be changed on every POST, PATCH or DELETE request. The default value is 30 minutes.
- Use the setmqweb properties command to remove CSRF validation checks:
setmqweb properties -k mqRestCsrfValidation -v boolean
where boolean specifies whether CSRF validation checks are performed, a value of false removes CSRF token validation checks. Validation of tokens is recommended, particularly where users are using web browsers to access the REST API. The default value is true, and CSRF tokens are validated for all HTTP POST, PATCH, and DELETE requests via the REST API.