Enabling Cross-Site Request Forgery (CSRF) protection for Universal Access

You can enable token-based Cross-Site Request Forgery (CSRF) protection in Universal Access to secure the IBM® Cúram Social Program Management REST APIs from CSRF attacks.

About this task

For more information about CSRF protection in Social Program Management, see Cross-Site Request Forgery (CSRF) Protection.

For more information about how the REST APIs integrate token-based CSRF protection, see Integrating token-based Cross-Site Request Forgery (CSRF) protection.

Procedure

  1. Enable CSRF protection on the SPM server, see Enabling token-based Cross-Site Request Forgery (CSRF) protection.
  2. Ensure that any subdomains are included in the curam.rest.refererDomains SPM system property.
  3. Set the Universal Access security environment variables for CSRF in Universal Access application. See React environment variable reference.
  4. Ensure that any images in the application that are stored in SPM and requested from the SPM server use the UAImage component from the core-ui package. The UAImage component is a wrapper for the Image component that adds the CSRF token to image requests from the SPM server.
    Note: If you are upgrading, you must ensure that you replace the Image component with the UAImage component for all images that are stored in SPM. Otherwise, images that are stored in SPM cannot be retrieved and displayed.