CSRF Security Documentation
* Ways by which customers can turn off CSRF Validation :
- Use of global attribute :
We have added a global attribute which can change CSRF validation to be turned on and off .
Attribute Details -
Name : Aptify.Services.Csrf.EnableCSRFProtection
Default Value : True
Use : If attribute value is True, csrf validation is enabled and if not, it is disabled.
Also, when there is no value given for attribute then it is considered as false and csrf validation is disabled.
2. Endpoint specific metadata :
We have added an attribute setting in web.config that will decide to which endpoint's response csrf tokens will be added.
Attribute Details -
Name : Aptify.Services.Csrf.AntiForgeryToken.EndpointURIPattern
Default Value : "/services/UserInformation" : This will be the endpoint name
Use : CSRF tokens will be added to that endpoint's response.
Also, for all non-get endpoints, csrf validation is turned on by default.
Get endpoints are used for just retrieval of data no mutational changes are done through it.
If customer want to add the csrf protection for GET endpoints, they need to put the csrf flag value to true for that endpoint as following ,
{
"endpoints" : {
"exampleEndpoint" : {
"csrf" : {
"enabled" : true
}
//remaining end point metadata omitted
}
}
}
* Pre-requisites for csrf protection :
CSRF protection is not possible unless Aptify.Services.CORS.AllowedDomains is set properly. If this is allowing all sites, Same origin access CSRF is automatically defeated.
So make sure that Aptify.Services.CORS.AllowedDomains attribute in web.config is set properly.
* Configuration Changes :
For CSRF protection, we have added a validation cookie to the response. We can configure the cookie name in web.config using an attribute.
Attribute Name : Aptify.Services.Csrf.CookieName
Default Value : AptifyCSRFCookie
Copyright © 2014-2019 Aptify - Confidential and Proprietary