Configure CSRF protection

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious website causes a user's browser to perform an unwanted action on a trusted site for which the user is currently authenticated. .


Before you begin

You must be a privileged user to complete this procedure.

We can view the current configuration of the CSRF protection by using the following command:
dspmqweb properties -a
The mqRestCsrfValidation field shows whether CSRF validation checks are performed. For more information, see dspmqweb.

Note: The mqRestCsrfExpirationInMinutes field, introduced in Version 9.0.4 to show the CSRF expiration time, no longer exists in Version 9.0.5.

Attention:

Before issuing either the setmqweb or dspmqweb commands on z/OSĀ®, you must set the WLP_USER_DIR environment variable, so that the variable points to your mqweb server configuration.

To do this, issue the following command:
export WLP_USER_DIR=WLP_user_directory
where WLP_user_directory is the name of the directory that is passed to crtmqweb.sh. For example:
export WLP_USER_DIR=/var/mqm/web/installation1

For more information, see Create the Liberty server definition.


About this task

Prior to Version 9.0.5 the IBM MQ Console and REST API use a synchronizer token to protect against CSRF attacks. In Version 9.0.4 only, CSRF synchronizer tokens for the administrative REST API are periodically regenerated. From Version 9.0.5, CSRF synchronizer tokens are not used. Instead, a custom HTTP header needs to be set, which provides equivalent protection to using a synchronizer token.

We can modify configuration of the CSRF protection for the REST API by using the setmqweb properties command


Procedure

Use the following method to configure CSRF token validation for the REST API:

  • For Version 9.0.4 only, use the setmqweb properties command to alter token expiry:

    setmqweb properties -k mqRestCsrfExpirationInMinutes -v time

    where time specifies the time, in minutes, before the CSRF token expires. The token remains valid for the next HTTP POST, PATCH, or DELETE method after its expiration, after which, a new token is returned as a cookie and the previous token value is invalidated. A time value of -1 disables CSRF token expiration, while a value of 0 causes the token to be changed on every POST, PATCH or DELETE request. The default value is 30 minutes.

  • Use the setmqweb properties command to remove CSRF validation checks:

    setmqweb properties -k mqRestCsrfValidation -v boolean

    where boolean specifies whether CSRF validation checks are performed, a value of false removes CSRF token validation checks. Validation of tokens is recommended, particularly where users are using web browsers to access the REST API. The default value is true, and CSRF tokens are validated for all HTTP POST, PATCH, and DELETE requests via the REST API.