Enable cross-site request forgery protection in REST
We can do cross-site request forgery protection when using the REST protocol. To enable it, we must be using cookies for authentication. The REST handshake exchanges WCToken and WCTrustedToken parameters to prevent forgery.
Task info
Cross-site request forgery is a type of malicious attack that tricks a user into sending unintended requests. For example, an attacker can trick an authenticated user into clicking a link to update their personal information. WebSphere Commerce accepts this request as valid, as proper session cookies exist as part of the request. However, when CSRF protection is enabled, a special HTTP header, called WCAuthToken, is required as part of the request. If the token is expected, its value must be equal to the authToken request attribute set by the store runtime.
Note: This option is disabled by default, and does not impact cases where WCTrustedToken is already specified.
Procedure
- Open the custom foundation component configuration file WCDE_installdir/workspace/WC/xml/config/com.ibm.commerce.foundation/wc-component.xml.
- Set the AuthTokenEnabled property to true in the REST configuration group. For example,
<_config:configgrouping name="REST"> <!-- Determines if the WCAuthToken HTTP header field is required for DELETE/PUT/POST calls when cookies are used for authentication. Its value must be equal to the authToken request attribute set by the store runtime. --> <_config:property name="AuthTokenEnabled" value="true"/> </_config:configgrouping>
- Deploy the change to the production environment.