Enable CSRF protection on GET requests for anonymous users

Question

Hi all,in my current project we are thinking of a strategy to secure GET endpoints which are accessible by anonymous users. The goal is to have some kind of a unique temporary token that will be validated on the backend, so that it is more difficult to hit the endpoint with no limitation. I am looking for a code-side solution, and not firewall rules which are already in place.  My initial idea was to extend CSRF protection to these GET endpoints, however according to the CSRF documentation, these tokens cannot be generated by anonymous users: The CSRF Protection Framework | Adobe Experience ManagerAnd indeed, if I hit /libs/granite/csrf/token.json as anonymous user, I can see an empty response. Is there a way to enable generation of CSRF tokens for anonymous users too? If yes, do you see any potential security issues related to exposing the CSRF generator to anonymous users?

RiteshY18 · Accepted Answer

@mateuszra  may be think of keeping your endpoint  behind the API gate way and let the gateway do access/validation/ etc  part and then route the request to actual API

EstebanBustamante · Answer

Hi,

No, you cannot generate CSRF tokens for publishers. I don't fully understand what you are trying to accomplish, so perhaps you could elaborate a bit more. If you're looking to secure some endpoints for a specific set of users, you might consider exploring CORS, Basic Authentication, OAuth2, or even simply checking a header or cookie with a temporary token.

I hope this helps!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded