HTTP CSRF protection

Cross site request forgery or CSRF is a class of attack that forces an end user to execute unwanted actions on an application when the user is authenticated. You can configure CSRF protection in Release.

Configuring the CSRF settings

To configure the CSRF settings:

  1. Add the xl, server and http properties to the XL_RELEASE_SERVER_HOME/conf/xl-release.conf configuration file.
  2. In the http property, add an additional csrf property. This property identifies the predefined CSRF configuration you wish to use. The supported values are:

    Parameter Description
    enabled Whether to enable CSRF protection. Default is true.

Sample CSRF settings

xl {
    server {
        http {
            csrf {
                enabled = true

Note: Users should disable CSRF protection if they are using internal APIs instead of public REST APIs in their own custom implementation, or they should adjust their code to use public APIs instead of internal APIs.