Protect against Cross-Site Request Forgery (CSRF)
Suggest changes
PDFs
You can help protect against Cross-Site Request Forgery (CSRF) attacks against StorageGRID by using CSRF tokens to enhance authentication that uses cookies. The Grid Manager and Tenant Manager automatically enable this security feature; other API clients can choose whether to enable it when they sign in.
An attacker that can trigger a request to a different site (such as with an HTTP form POST) can cause certain requests to be made using the signed-in user's cookies.
StorageGRID helps protect against CSRF attacks by using CSRF tokens. When enabled, the contents of a specific cookie must match the contents of either a specific header or a specific POST body parameter.
To enable the feature, set the csrfToken parameter to true during authentication. The default is false.
curl -X POST --header "Content-Type: application/json" --header "Accept: application/json" -d "{
\"username\": \"MyUserName\",
\"password\": \"MyPassword\",
\"cookie\": true,
\"csrfToken\": true
}" "https://example.com/api/v3/authorize"
When true, a GridCsrfToken cookie is set with a random value for sign-ins to the Grid Manager, and the AccountCsrfToken cookie is set with a random value for sign-ins to the Tenant Manager.
If the cookie is present, all requests that can modify the state of the system (POST, PUT, PATCH, DELETE) must include one of the following:
-
The
X-Csrf-Tokenheader, with the value of the header set to the value of the CSRF token cookie. -
For endpoints that accept a form-encoded body: A
csrfTokenform-encoded request body parameter.
See the online API documentation for additional examples and details.
|
Requests that have a CSRF token cookie set will also enforce the "Content-Type: application/json" header for any request that expects a JSON request body as an additional protection against CSRF attacks. |