If you have a comment on this topic, contact Aptify Documentation. If you want to return to the Aptify Community Site, please click here.

CSRF Security Documentation

* Ways by which customers can turn off CSRF Validation :

  1. Use of global attribute :

We have added a global attribute which can change CSRF validation to be turned on and off .

Attribute Details -

Name : Aptify.Services.Csrf.EnableCSRFProtection

Default Value : True

Use : If attribute value is True, csrf validation is enabled and if not, it is disabled.

Also, when there is no value given for attribute then it is considered as false and csrf validation is disabled.

2. Endpoint specific metadata :

We have added an attribute setting in web.config that will decide to which endpoint's response csrf tokens will be added.

Attribute Details -

Name : Aptify.Services.Csrf.AntiForgeryToken.EndpointURIPattern

Default Value : "/services/UserInformation" : This will be the endpoint name

Use : CSRF tokens will be added to that endpoint's response.

Also, for all non-get endpoints, csrf validation is turned on by default.

Get endpoints are used for just retrieval of data no mutational changes are done through it.

If customer want to add the csrf protection for GET endpoints, they need to put the csrf flag value to true for that endpoint as following ,


        "endpoints" : {

                "exampleEndpoint" : {

                        "csrf" : {

                                "enabled" : true


                        //remaining end point metadata omitted




* Pre-requisites for csrf protection :

CSRF protection is not possible unless Aptify.Services.CORS.AllowedDomains is set properly. If this is allowing all sites, Same origin access CSRF is automatically defeated.

So make sure that Aptify.Services.CORS.AllowedDomains attribute in web.config is set properly.

* Configuration Changes :

For CSRF protection, we have added a validation cookie to the response. We can configure the cookie name in web.config using an attribute.

Attribute Name : Aptify.Services.Csrf.CookieName

Default Value : AptifyCSRFCookie

Copyright © 2014-2019 Aptify - Confidential and Proprietary