Cross-Site Request Forgery (CSRF) protection

Use token-based Cross-Site Request Forgery (CSRF) protection against CSRF attack vectors. You can perform steps to reduce the risk of a CSRF attack.

Cross-Site Request Forgery (CSRF)
CSRF is a form of attack that results in a user’s web browser to apply an unwanted action on a trusted website when the user is authenticated. The cause of a CSRF attack is a malicious website, email, blog, instant message, or program.
A CSRF attack works because the browser requests automatically include any credentials that are associated with the website.
For IBM® Cúram Social Program Management (SPM), the cookie that contains the user's authentication token is submitted with every request. A CSRF attack can work because the cookie that contains the user’s authentication token is submitted with every request. So if an IBM SPM user is authenticated to the site, the server cannot distinguish between a forged request and a legitimate request.
For more information about CSRF, see the Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet related link.
CSRF and IBM Cúram Social Program Management
IBM Cúram Social Program Management RESTful web services use the HTTP referrer header to protect against CSRF attacks. However, token-based protection provides an enhanced level of protection against CSRF attack vectors. Token-based CSRF protection is recommended.
IBM SPM REST infrastructure supports token-based CSRF protection for all REST operations, that is, GET, POST, PUT, and DELETE. By default, the token-based CSRF protection mechanism is disabled. For more information about enabling token-based CSRF protection, see the Enabling token-based Cross-Site Request Forgery (CSRF) protection related link.

Reducing the risk of a CSRF attack

Note: By default, token-based CSRF protection is disabled. Enabling token-based CSRF protection changes the behavior of the allowed referrer domains.
Compromised subdomains make CSRF attacks easier within the parent domain. To reduce the threat, take the required steps to maintain the integrity of your registered domains and subdomains. When token-based protection is enabled, add subdomains to the white list of trusted host domains in the system property curam.rest.refererDomains.
Note: Where the REST request comes from a host domain or subdomain that is not explicitly added to the white list in the referrer domains list, the REST request is blocked.