Enabling cross-site request forgery protection in REST
Enabling cross-site request forgery (CSRF) protection is recommended when using REST APIs with cookies for authentication. If your REST API uses the WCToken or WCTrustedToken tokens for authentication, then additional CSRF protection is not required.
About this task
Cross-site request forgery is a type of malicious attack that tricks a user into sending unintended requests to modify data when only cookies are used for authentication. For example, an attacker can trick an authenticated user into clicking a link that updates their personal information without their knowledge. In such an example, an unprotected HCL Commerce site would accepts this request as valid, as proper session cookies exist as part of the request.
However, when CSRF protection is enabled, a special HTTP header, called WCAuthToken, is required as part of the request. If the token is expected, its value must be equal to the authToken request attribute set by the store runtime.