You are here

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery, also referred to as CSRF, is one of the most common form of attacks plaguing web browsers. This type of attack results in a malicious request being submitted on a user’s behalf without their consent.

Typically, when the CSRF setting is enabled and an HTTP request against a web application is made, then the token values sent from the client to the server are validated to prevent unauthorized requests that were not generated by the server. The CSRF tokens are usually stored on the server and verified every time a request is sent. However, in Alfresco Process Services, this feature has been implemented slightly differently, wherein, CSRF tokens are generated on the client instead of the server and placed in a cookie CSRF-TOKEN and a header X-CSRF-TOKEN. The server side then verifies if the header and cookie values match.

Where:

X-CSRF-TOKEN = header value

CSRF-TOKEN = cookie value

This provides extra security as the cookie that belongs to Alfresco Process Services can only be accessed for pages generated or served by the Alfresco Process Services domain.

Note: The CSRF protection is only available for resources used by the web application, such as the private REST API (not public REST API).

By default, the CSRF protection setting is enabled in Alfresco Process Services, however to disable it, make the following changes:

  1. Open the activiti-app.properties file from the <ActivitiInstall>/tomcat/lib folder.
  2. Locate the security.csrf.disabled setting and then modify it to true. For example:

    security.csrf.disabled=true

Sending feedback to the Alfresco documentation team

You don't appear to have JavaScript enabled in your browser. With JavaScript enabled, you can provide feedback to us using our simple form. Here are some instructions on how to enable JavaScript in your web browser.