CSRF Prevention

A CSRF filter is enabled by default, validating each modifying request performed through the webapps. The filter implements a (per-session) Synchronization Token method for CSRF validation with an optional Same Origin with Standard Headers verification.

If you would like to enable the additional Same Origin with Standard Headers verification, the targetOrigin init-parameter should be set in the web.xml file of your application. That, and some additional optional initialization parameters are:

  <!-- CSRF Prevention filter -->
  <filter>
    <filter-name>CsrfPreventionFilter</filter-name>
    <filter-class>org.camunda.bpm.webapp.impl.security.filter.CsrfPreventionFilter</filter-class>
    <init-param>
      <param-name>targetOrigin</param-name>
      <param-value>http://example.com</param-value>
    </init-param>
    <init-param>
      <param-name>denyStatus</param-name>
      <param-value>404</param-value>
    </init-param>
    <init-param>
      <param-name>randomClass</param-name>
      <param-value>java.security.SecureRandom</param-value>
    </init-param>
    <init-param>
      <param-name>entryPoints</param-name>
      <param-value>/api/engine/engine/default/history/task/count, /api/engine/engine/default/history/variable/count</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>CsrfPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
Name Description
targetOrigin Application expected deployment domain: the domain name through which the webapps are accessed. If nothing is set, the _Same Origin with Standard Headers_ verification is not performed.
denyStatus HTTP response status code that is used when rejecting denied request. The default value is 403.
randomClass The name of the class to use to generate tokens. The class must be an instance of `java.util.Random`. If not set, the default value of `java.security.SecureRandom` will be used.
entryPoints Entry points are URLs that will not be tested for the presence of a valid token. They are used to provide a way to navigate back to the protected apps after navigating away from them.

On this Page: