CSRF Generator

This interceptor is used to ensure that the origin of incoming requests is legitimate and to prevent CSRF attacks.

Cross-Site Request Forgery (CSRF) is a malicious action undertaken by capturing a user’s active session token and taking advantage of that active session to send commands to an application through the victim’s browser. That is, malicious commands are sent from an authenticated browser, trusted by the website. The main condition for the attack to be successful is that the victim is authenticated in the vulnerable application and accesses another website containing malicious code. Usually, victims can’t realise that something unwanted is happening.

This image illustrates the way this type of attack happens:

To prevent CSRF, the interceptor must be added to the response flow of operations other than GET (that is, it applies to operations that include or modify data).

It works like this: when a request is made to a resource containing CSRF Generator, a second token following the settings defined by the user is created. This token must then be validated by a CSRF validation interceptor.

If the OAuth interceptor is already inserted in the flow, there’s no need to add the CSRF Generator/CSRF Validation interceptors to prevent attacks, since the OAuth feature imposes the inclusion of a token in the call.

These interceptors are recommended when the API is open (without OAuth or client ID authentication).

Configuring the interceptor

To configure the interceptor (see image below), inform the location of the token (e.g., header or cookie), a unique name, and the length of time in which the token will be valid (in seconds, in the field Expires in).

Thanks for your feedback!

EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]