CSRF Validation

This interceptor is used along with the CSRF generator interceptor to prevent cross-site request forgery (CSRF). It validades the token generated by the CSRF generator interceptor. Read more about CSFR and how to create a token here.

If the OAuth interceptor is already inserted in the flow, there’s no need to add the CSRF Generator/CSRF Validation interceptors to prevent attacks, since the OAuth feature imposes the inclusion of a token in the call.

These interceptors are recommended when the API is open (without OAuth or client ID authentication).

The interceptor must be inserted in the request flow of an operation that has CSRF generator in its response flow):

csrf flow

Configuring the interceptor

To configure it, insert the same token location and name that is informed in the CSRF Generator settings.

CSRF validation

By doing so, any request coming from an unexpected or containing an expired token will be barred by the system, avoiding a CSRF attack from happening.

If your API returns the status code 401 Unauthorized when using this interceptor, the token may be invalid. See more details on this page of our FAQs.
Thanks for your feedback!

Share your suggestions with us!
Click here and then [+ Submit idea]