Protecting against Cross-Site Request Forgery (CSRF)
You can help protect against Cross-Site Request Forgery (CSRF) attacks against StorageGRID by using CSRF tokens to enhance authentication that uses cookies. The Grid Manager and Tenant Manager automatically enable this security feature; other API clients can choose whether to enable it when they sign in.
An attacker that can trigger a request to a different site (such as with an HTTP form POST) can cause certain requests to be made using the signed-in user's cookies.
StorageGRID helps protect against CSRF attacks by using CSRF tokens. When enabled, the contents of a specific cookie must match the contents of either a specific header or a specific POST body parameter.
To enable the feature, set the csrfToken
parameter to true
during authentication. The default is false
.
curl -X POST --header "Content-Type: application/json" --header "Accept: application/json" -d "{ \"username\": \"MyUserName\", \"password\": \"MyPassword\", \"cookie\": true, \"csrfToken\": true }" "https://example.com/api/v3/authorize"
When true, a GridCsrfToken
cookie is set with a random value for sign-ins to the Grid Manager, and the AccountCsrfToken
cookie is set with a random value for sign-ins to the Tenant Manager.
If the cookie is present, all requests that can modify the state of the system (POST, PUT, PATCH, DELETE) must include one of the following:
-
The
X-Csrf-Token
header, with the value of the header set to the value of the CSRF token cookie. -
For endpoints that accept a form-encoded body: A
csrfToken
form-encoded request body parameter.
See the online API documentation for additional examples and details.
Requests that have a CSRF token cookie set will also enforce the "Content-Type: application/json" header for any request that expects a JSON request body as an additional protection against CSRF attacks.
|