The CSRF Protection Framework

Last update: 2023-11-08

In addition to the Apache Sling Referrer Filter, Adobe also provides a new CSRF Protection Framework to protect against this type of attack.

The framework makes use of tokens to guarantee that the client request is legitimate. The tokens are generated when the form is sent to the client and validated when the form is sent back to the server.

NOTE

There are no tokens on the publish instances for anonymous users.

Requirements

Dependencies

Any component that relies on the granite.jquery dependency can benefit from the CSRF Protection Framework automatically. If not, for any of your components, you must declare a dependency to granite.csrf.standalone before you can use the framework.

Replicating the Crypto Key

To use the tokens, you need to replicate the HMAC binary to all the instances in your deployment. See Replicating the HMAC key for more details.

NOTE

Make sure you also make the necessary Dispatcher configuration changes to use the CSRF Protection Framework.

NOTE

If you use the manifest cache with your web application, make sure you add “*” to the manifest to make sure the token does not take the CSRF token generation call offline. For more information, consult this link.

For more information on CSRF attacks and ways to mitigate them, see the Cross-Site Request Forgery OWASP page.

On this page