Prevention of Cross-site Request Forgery (CSRF) attacks
Cross-site request forgery (CSRF) is a type of malicious website attack. A CSRF attack is sometimes called a one-click attack or session riding. This type of attack sends unauthorized requests from a user the website trusts. CSRF uses the trust that a site has in the browser of an authenticated user for malicious attacks. CSRF uses links or scripts to send involuntary HTTP requests to a target site where the user is authenticated. Unless precautions are taken, the WebSEAL management pages, such as /pkmslogout, are susceptible to a CSRF attack. For example, an attacker might get an authenticated WebSEAL user to involuntarily log out by getting their browser to follow a link to /pkmslogout.
Parent topic: Web server security configuration
Related concepts
- Cryptographic hardware for encryption and key storage
- Prevention of vulnerability caused by cross-site scripting
- Suppression of WebSEAL and back-end server identity
- Platform for Privacy Preferences (P3P)
Related tasks
- Configure WebSEAL to support only Suite B ciphers
- Configure NIST SP800-131A compliance
- Disable HTTP methods