Expand my Community achievements bar.

SOLVED

AEM with CDN how to handle csrf token

Avatar

Level 5

 

I understand the csrf token should not be cached at the dispatcher level. How does this play out when a CDN is in front of the dispatcher? Is it OK for the CDN to cache the csrf token? Would that be a likely configuration by default? Should we instead configure the CDN to forward the tokens back to the dispatcher, like we can do with cookies, query string parameters, etc. I'm wondering if cached content is vulnerable to the attacks the token aims to prevent? 

 

Thanks for any info!

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi,

In that case you can cache csrf token at Akamai or block it at Akamai as making csrf call does not make any impact.

View solution in original post

3 Replies

Avatar

Community Advisor

Hi,

 

Are you making anonymous call to publisher ? If so csrf token will be empty and no need to pass to dispatcher, it can be cached in CDN or can be blocked. 

 

For more information: https://experienceleague.adobe.com/docs/experience-manager-65/developing/introduction/csrf-protectio...

Avatar

Level 5

Hi Ravi, 

 

I believe all of the calls are anonymous, we're not doing any authenticated content on the publish/dispatcher side. Some forms may be submitted, but nothing is submitted back to AEM. Thanks for your input. 

 

Avatar

Correct answer by
Community Advisor

Hi,

In that case you can cache csrf token at Akamai or block it at Akamai as making csrf call does not make any impact.