Enabling cross-site request forgery protection in REST
Enabling cross-site request forgery (CSRF) protection is recommended when using REST APIs with cookies for authentication. If your REST API uses the WCToken or WCTrustedToken tokens for authentication, then additional CSRF protection is not required.
About this task
Cross-site request forgery is a type of malicious attack that tricks a user into sending unintended requests to modify data when only cookies are used for authentication. For example, an attacker can trick an authenticated user into clicking a link that updates their personal information without their knowledge. In such an example, an unprotected HCL Commerce site would accepts this request as valid, as proper session cookies exist as part of the request.
However, when CSRF protection is enabled, a special HTTP header, called WCAuthToken, is required as part of the request. If the token is expected, its value must be equal to the authToken request attribute set by the store runtime.
Procedure
- Open the custom foundation component configuration file WCDE_installdir/workspace/WC/xml/config/com.ibm.commerce.foundation/wc-component.xml in the Transaction server Docker container.
-
Set the AuthTokenEnabled property to true in the
REST configuration group. For example,
<_config:configgrouping name="REST"> <!-- Determines if the WCAuthToken HTTP header field is required for DELETE/PUT/POST calls when cookies are used for authentication. Its value must be equal to the authToken request attribute set by the store runtime. --> <_config:property name="AuthTokenEnabled" value="true"/> </_config:configgrouping>
- Deploy the change to the production environment.