You are here

Cross-Site Request Forgery (CSRF) filters for repository

You can configure the repository in Alfresco Content Services with a filter to prevent CSRF attacks that allow malicious requests to be unknowingly loaded by a user.
Note: The CSRF filter will work correctly only if the Alfresco Content Services server is configured to use HTTPS.

The CSRF filter can be configured in the web-client-security-config.xml file, which is located in the alfresco.war file. In most cases the only thing that needs to be modified is a regular expression that checks the Origin and Referer headers. This regular expression can be configured using the alfresco-global.properties file. The property configuration then overrides the values in web-client-security-config.xml. The following is an example configuration where Alfresco Content Services runs on the mydomain.com host and port 80:

# CSRF filter overrides
csrf.filter.enabled=true
csrf.filter.referer=https://mydomain.com/*.
csrf.filter.referer.always=false
csrf.filter.origin=https://mydomain.com
csrf.filter.origin.always=false

The Origin header will be present in HTTP requests that originate from an HTTPS URL and it will tell you from where the application (such as an ADF application) was loaded. If a non-standard port is used, such as 8443, then you'll have to include the port number, such as https://mydomain.com:8443/. If the Origin header is present, then it's checked to make sure it matches the target origin (csrf.filter.origin). If the Origin header isn't present, verify that the hostname in the Referer header matches the target origin (that is, csrf.filter.referer).

The csrf.filter.origin.always property is a boolean that controls whether the referer/origin header must be present when validated. Some browsers don't set referer due to privacy issues. Some old browsers don't set origin.

To disable the CSRF filter all together set the csrf.filter.enabled property to false.

Sending feedback to the Alfresco documentation team

You don't appear to have JavaScript enabled in your browser. With JavaScript enabled, you can provide feedback to us using our simple form. Here are some instructions on how to enable JavaScript in your web browser.