Cross-Site Request Forgery, also referred to as CSRF, is one of the most common form of attacks plaguing web browsers. This type of attack results in a malicious request being submitted on a user’s behalf without their consent.
Typically, when the CSRF setting is enabled and an HTTP request against a web application is made, then the token values sent from the client to the server are validated to prevent unauthorized requests that were not generated by the server. The CSRF tokens are usually stored on the server and verified every time a request is sent. However, in Alfresco Process Services, this feature has been implemented slightly differently, wherein, CSRF tokens are generated on the client instead of the server and placed in a cookie CSRF-TOKEN and a header X-CSRF-TOKEN. The server side then verifies if the header and cookie values match.
X-CSRF-TOKEN = header value
CSRF-TOKEN = cookie value
This provides extra security as the cookie that belongs to Alfresco Process Services can only be accessed for pages generated or served by the Alfresco Process Services domain.
By default, the CSRF protection setting is enabled in Alfresco Process Services, however to disable it, make the following changes:
- Open the activiti-app.properties file from the <ActivitiInstall>/tomcat/lib folder.
- Locate the security.csrf.disabled setting and then modify it to true. For example: