Anti-CSRF token (instance security hardening)
Use the glide.security.use_csrf_token property to ensure the use of a secure token to identify and validates incoming requests, which in turn are used to prevent these attacks.
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
The following properties can be enabled for added controls over CSRF token:
- glide.security.csrf_previous.time_limit
- glide.security.csrf_previous.allow
- glide.security.csrf.strict.validation.mode
More information
| Attribute | Description |
|---|---|
| Property name | glide.security.use_csrf_token |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | To protect the application from potential CSRF attack. |
| Recommended value | true |
| Functional Impact | This remediation enables an extra validation step before the instance user submits a write request to the instance. Every write request contains a CSRF token (i.e a validation/CSRF ID tied to the user session). When the user session expires, the secure token expires with it. |
| Security risk | (High) Cross Site Request Forgery is a significant security risk that violates the integrity of the instance data. An attacker can launch the CSRF attack by abusing the trust of an instance user. With the help of social engineering attacks, a user can submit a malformed request on behalf of the attacker on the instance. |
To learn more about adding or creating a system property, see Add a system property.