Cross-Site Request Forgery (CSRF) protection
Use token-based Cross-Site Request Forgery (CSRF) protection against CSRF attack vectors. You can perform steps to reduce the risk of a CSRF attack.
- Cross-Site Request Forgery (CSRF)
- CSRF is a form of attack that results in a user’s web browser to apply an unwanted action on a trusted website when the user is authenticated. The cause of a CSRF attack is a malicious website, email, blog, instant message, or program.
- CSRF and IBM Cúram Social Program Management
- IBM Cúram Social Program Management RESTful web services use the HTTP referrer header to protect against CSRF attacks. However, token-based protection provides an enhanced level of protection against CSRF attack vectors. Token-based CSRF protection is recommended.
Reducing the risk of a CSRF attack
Note: By default, token-based CSRF protection is disabled. Enabling token-based CSRF protection
changes the behavior of the allowed referrer domains.
Compromised subdomains make CSRF attacks easier within the parent domain. To reduce the threat,
take the required steps to maintain the integrity of your registered domains and subdomains. When
token-based protection is enabled, add subdomains to the white list of trusted host domains in the
system property
curam.rest.refererDomains
.Note: Where the REST request comes from a
host domain or subdomain that is not explicitly added to the white list in the referrer domains
list, the REST request is blocked.