지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.3 - Web Application Configuration Guide

About this guide Managing the API Server Configuring API projects and web applications
General configuration Configuring the Administration Portal Configuring the Application Governance Module Configuring the Password Reset Portal Configuring the Web Portal
Configuring departments Configuring address books Ansichten konfigurieren Configuring application roles Configuring the Application Governance Module Configuring attestation Configuring authentication by accepting the terms of use Configuring request functions Configuring delegation Configuring your own API filter Configuring your own filters Configuring recommendations for adding entitlements to objects Configuring devices Configuring business roles Configuring the help desk module/tickets Configuring hyperviews Configuring identities Configuring password questions Configuring cost centers Configuring service items Program functions for the Web Portal Configuring software Configuring locations Configuring statistics Configuring system roles Skip table sorting Configuring team roles Configuring the four eyes principle for issuing a passcode. Configuring WebAuthn security keys
Configuring the Operations Support Web Portal
Recommendations for secure operation of web applications

Configuring HTTP header with cross-site request forgery protection token

To prevent cross-site request forgery (CSRF) attacks, a token is used that is sent with every request and checked by the server. This ensures that the request comes from a trustworthy source. The token is sent in the HTTP header.

For CSRF protection to work properly, you must define the HTTP header that contains the CSRF protection token.

Required configuration keys:

  • Name of the HTTP header containing the CSRF protection token submitted by the client (XsrfProtectionHeaderName): Defines the HTTP header that contains the CSRF protection token submitted by the client.

To configure HTTP headers with cross-site request forgery protection tokens

  1. Log in to the Administration Portal (see Logging in to the Administration Portal).

  2. In the navigation, click Configuration.

  3. On the Configuration page, in the Show configuration for the following API project drop-down, select the API Server API project.

  4. Expand the Name of the HTTP header containing the CSRF protection token submitted by the client configuration key.

  5. In the Value field, enter the name of the HTTP header that contains the CSRF protection token submitted by the client.

  6. Click Apply.

  7. Perform one of the following actions:

    • If you want to apply the changes locally only, click Apply locally.

    • If you want to apply the changes globally, click Apply globally.

  8. Click Apply.

Detailed information about this topic

Configuring HTTP methods without cross-site request forgery protection

Specify which HTTP methods do NOT require cross-site request forgery protection (CSRF).

Typically, actions that trigger data changes or other critical operations should be performed using HTTP methods that provide CSRF protection.

Required configuration keys:

  • HTTP methods which do not require CSRF protection tokens (XsrfProtectionDisabledMethods): Defines which HTTP methods do not require CSRF protection tokens.

To configure the CSRF protection

  1. Log in to the Administration Portal (see Logging in to the Administration Portal).

  2. In the navigation, click Configuration.

  3. On the Configuration page, in the Show configuration for the following API project drop-down, select the API Server API project.

  4. Expand the HTTP methods which do not require CSRF protection tokens configuration key.

  5. In the Value field, enter the HTTP methods delimited by commas that do not require CSRF protection tokens.

  6. Click Apply.

  7. Perform one of the following actions:

    • If you want to apply the changes locally only, click Apply locally.

    • If you want to apply the changes globally, click Apply globally.

  8. Click Apply.

Detailed information about this topic

Configuring behavior in the event of a cross-site request forgery attack

To configure the behavior in the event of a cross-site request forgery (CSRF) attack, you can specify that user sessions are disconnected as soon as a deviation from the CSRF protection token is detected during a request.

Required configuration keys:

  • End session when a CSRF protection token mismatch is detected (XsrfProtectionEndOnMismatch): Specifies whether the session should end if a mismatch of the CSRF protection token is detected.

To configure the behavior in the event of a CSRF attack

  1. Log in to the Administration Portal (see Logging in to the Administration Portal).

  2. In the navigation, click Configuration.

  3. On the Configuration page, in the Show configuration for the following API project drop-down, select the API Server API project.

  4. Expand the End session when a CSRF protection token mismatch is detected configuration key.

  5. Perform one of the following actions:

    • To end the session when a deviation from the CSRF protection token is detected, select the End session when a CSRF protection token mismatch is detected check box.

    • To maintain the session when a deviation from the CSRF protection token is detected, clear the End session when a CSRF protection token mismatch is detected check box.

  6. Click Apply.

  7. Perform one of the following actions:

    • If you want to apply the changes locally only, click Apply locally.

    • If you want to apply the changes globally, click Apply globally.

  8. Click Apply.

Configuring the cross-site request forgery protection cookie

To ensure that cross-site request forgery (CSRF) protection is implemented effectively, you can configure the CSRF protection cookie.

The CSRF protection cookie is used to store a special token on the client and when required it is sent to the server with requests. This token is then checked by the server to ensure that the request actually comes from the authenticated user and not from a potential attacker attempting to carry out a CSRF attack.

Required configuration keys:

  • Name of the cookie containing the CSRF protection token issued by the server (XsrfProtectionCookieName): Defines the cookie that contains the CSRF protection token issued by the server.

  • Path for the CSRF protection cookie (XsrfProtectionCookiePath): Specifies the URL path that must exist in the requested URL in order to send the cookie header.

  • Domain for the CSRF protection cookie (XsrfProtectionCookieDomain): Specifies the domain whose hosts can receive a cookie.

To configure CSRF protection

  1. Log in to the Administration Portal (see Logging in to the Administration Portal).

  2. In the navigation, click Configuration.

  3. On the Configuration page, in the Show configuration for the following API project drop-down, select the API Server API project.

  4. Expand the Name of the cookie containing the CSRF protection token issued by the server configuration key.

  5. In the Value field, enter the name of the cookie that contains the CSRF protection token issued by the server.

  6. Expand the Path for the CSRF protection cookie configuration key.

  7. In the Value field, enter the URL path that must exist in the requested URL in order to send the cookie header.

  8. Expand the Domain for the CSRF protection cookie configuration key.

  9. In the Value field, enter the name of the domain whose hosts can receive a cookie.

  10. Click Apply.

  11. Perform one of the following actions:

    • If you want to apply the changes locally only, click Apply locally.

    • If you want to apply the changes globally, click Apply globally.

  12. Click Apply.

Detailed information about this topic
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택