You are viewing the documentation for Blueriq 14. Documentation for other versions is available in our documentation directory.

Cross-Site request forgery protection (CSRF)

The Runtime uses Cross-Site Request Forgery (CSRF) protection using using a variant of Synchronizer Token pattern for POST requests to the /session/ URL pattern. Only Blueriq's own controllers are protected, as customers may use other methods/frameworks for this purpose. Both Spring MVC and ASP.NET MVC have specific methods for CSRF protection. The CSRF mechanism is as follows:

  1. On every full page reload a CSRF token is generated, this token is stored in the session and send to the client inside the json message.
  2. On any subsequent POST requests to a protected URL, the client must send the CSRF token
  3. the CSRF interceptor checks whether the token is sent by the client and whether it matches the token stored in the session and allows access only if there is a match
  4. if the token is not present or does not match, access to the protected URL is denied and the interceptor responds with 403 Invalid CSRF Token.

The Synchronizer pattern has been extended to support multiple blueriq sessions.

Didn't find the answer you were looking for? Try the advanced search