Enabling cross-site request forgery in Spring
Cross-site request forgery (CSRF) is a type of malicious attack that tricks a user into sending unintended requests. For example, an attacker can trick an authenticated user into clicking a link to update their personal information. HCL Commerce accepts this request as valid, as proper session cookies exist as part of the request.
About this task
When cross-site request forgery protection is enabled, a designated URL parameter that is called authToken is required to be included as part of the request. The parameter value is generated by HCL Commerce and passed to the page in a request attribute with the same name.
Note: The authToken parameter is available only on SSL protected pages because
this token cannot be apparent. Only sensitive URLs that use SSL require this protection. CSRF
protection in HCL Commerce is intended to protect a user after you have fully
authenticated, not in a partially authenticated (remembered) state.
Procedure
Results
Note: When a cross-site request forgery violation is detected, the request is changed to go to the
CrossSiteRequestForgeryErrorView
view. That is, the view is shown when requests
that are configured to be protected do not include the authToken
parameter.