Version: Release 24.1

HTTP CSRF Protection

This topic covers Cross-Site Request Forgery (CSRF), a class of attack that forces an authenticated end user to execute unwanted actions on an application. You can configure CSRF protection in Release.

Configuring the CSRF settings

To configure the CSRF settings:

Add the xl, server and http properties to the XL_RELEASE_SERVER_HOME/conf/xl-release.conf configuration file.
In the http property, add an additional csrf property. This property identifies the predefined CSRF configuration you wish to use. The supported values are:

Parameter Description
enabled Whether to enable CSRF protection. Default is true.

Parameter	Description
`enabled`	Whether to enable CSRF protection. Default is true.

Sample CSRF settings

xl {
    server {
        http {
            csrf {
                enabled = true
            }
        }
    }
}

Note: Users should disable CSRF protection if they are using internal APIs instead of public REST APIs in their own custom implementation, or they should adjust their code to use public APIs instead of internal APIs.

Configuring the CSRF settings​

Sample CSRF settings​

Configuring the CSRF settings

Sample CSRF settings