Enabling cross-site request forgery protection in REST

Enabling cross-site request forgery (CSRF) protection is recommended when using REST APIs with cookies for authentication. If your REST API uses the WCToken or WCTrustedToken tokens for authentication, then additional CSRF protection is not required.

About this task

Cross-site request forgery is a type of malicious attack that tricks a user into sending unintended requests to modify data when only cookies are used for authentication. For example, an attacker can trick an authenticated user into clicking a link that updates their personal information without their knowledge. In such an example, an unprotected HCL Commerce site would accepts this request as valid, as proper session cookies exist as part of the request.

However, when CSRF protection is enabled, a special HTTP header, called WCAuthToken, is required as part of the request. If the token is expected, its value must be equal to the authToken request attribute set by the store runtime.

Note: The WCAuthToken option is disabled by default. This is because the default authentication tokens, WCToken and WCTrustedToken, are passed in the header, and therefore already protect against this type of attack.

Procedure

To enable the WCAuthToken for CSRF protection:
  1. Open the custom foundation component configuration file WCDE_installdir/workspace/WC/xml/config/com.ibm.commerce.foundation/wc-component.xml in the Transaction server Docker container.
  2. Set the AuthTokenEnabled property to true in the REST configuration group. For example, 
    <_config:configgrouping name="REST">
  <!-- Determines if the WCAuthToken HTTP header field is required for DELETE/PUT/POST calls when cookies are used for authentication. Its value must be equal to the authToken request attribute set by the store runtime. -->
  <_config:property name="AuthTokenEnabled" value="true"/>
</_config:configgrouping>
  3. Deploy the change to the production environment.

Results

CSRF protection is now implemented for your site. Users of your site are now protected against CSRF attacks.