CSRF Prevention
A CSRF filter is enabled by default, validating each modifying request performed through the webapps. The filter implements a (per-session) Synchronization Token method for CSRF validation with an optional Same Origin with Standard Headers verification.
In Spring Boot Starter, the configuration needs to be made in the application.yaml
.
Please read more about it here.
If you would like to enable the additional Same Origin with Standard Headers verification, the targetOrigin
init-parameter should be set in the web.xml
file of your application. That, and some additional optional initialization parameters are:
<!-- CSRF Prevention filter -->
<filter>
<filter-name>CsrfPreventionFilter</filter-name>
<filter-class>org.camunda.bpm.webapp.impl.security.filter.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>targetOrigin</param-name>
<param-value>http://example.com</param-value>
</init-param>
<init-param>
<param-name>denyStatus</param-name>
<param-value>404</param-value>
</init-param>
<init-param>
<param-name>randomClass</param-name>
<param-value>java.security.SecureRandom</param-value>
</init-param>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/api/engine/engine/default/history/task/count, /api/engine/engine/default/history/variable/count</param-value>
</init-param>
<init-param>
<param-name>enableSecureCookie</param-name>
<param-value>true</param-value> <!-- default value is false -->
</init-param>
<init-param>
<param-name>enableSameSiteCookie</param-name>
<param-value>true</param-value> <!-- default value is true -->
</init-param>
</filter>
<filter-mapping>
<filter-name>CsrfPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Name | Description |
---|---|
targetOrigin | Application expected deployment domain: the domain name through which the webapps are accessed. If nothing is set, the Same Origin with Standard Headers verification is not performed. |
denyStatus | HTTP response status code that is used when rejecting denied request. The default value is 403. |
randomClass | The name of the class to use to generate tokens. The class must be an instance of `java.util.Random`. If not set, the default value of `java.security.SecureRandom` will be used. |
entryPoints | Entry points are URLs that will not be tested for the presence of a valid token. They are used to provide a way to navigate back to the protected apps after navigating away from them. |
enableSecureCookie |
If set to true , the cookie flag Secure is enabled.The default value is false .
|
enableSameSiteCookie |
If set to false , the cookie flag SameSite is disabled.The default value is true .
The default value of the SameSite cookie is LAX and it can be changed via sameSiteCookieOption configuration property.
|
sameSiteCookieOption |
Can be configured either to STRICT or LAX .Note: This property is ignored when enableSameSiteCookie is set to false .
|
sameSiteCookieValue |
A custom value for the cookie property. Note: This property is ignored when enableSameSiteCookie is set to false .
|
cookieName |
A custom value to change the cookie name. The default value is XSRF-TOKEN .Note: Please make sure to additionally change the cookie name for each webapp (e. g. Cockpit ) separately. |