How to protect against Cross-Site Request Forgery (CSRF)

You can help protect against Cross-Site Request Forgery (CSRF) attacks against StorageGRID Webscale by using CSRF tokens to enhance authentication that uses cookies. The Grid Management Interface and Tenant Management Interface automatically enable this security feature; other API clients can choose whether to enable it at the time of signin

An attacker that can trigger a request to a different site (such as with an HTTP form POST) can cause certain requests to be made using the signed-in user’s cookies.

StorageGRID Webscale helps protect against CSRF attacks by using CSRF tokens. When enabled, the contents of a specific cookie must match the contents of either a specific header or a specific POST body parameter.

To enable the feature, set the csrfToken parameter to true during authentication. The default is false.
curl -X POST --header "Content-Type: application/json" --header "Accept: application/json" -d "{
  \"username\": \"MyUserName\",
  \"password\": \"MyPassword\",
  \"cookie\": true,
  \"csrfToken\": true
}" ""

When true, a GridCsrfToken cookie is set with a random value for signins to the Grid Management Interface, and the AccountCsrfToken cookie is for signins to the Tenant Management Interface.

If the cookie is present, all requests that can modify the state of the system (POST, PUT, PATCH, DELETE) must include one of the following:

See the online API documentation for additional examples and details.

Note: Requests that have a CSRF token cookie set will also enforce the "Content-Type: application/json" header for any request that expects a JSON request body as an additional protection against CSRF attacks.