I understand the csrf token should not be cached at the dispatcher level. How does this play out when a CDN is in front of the dispatcher? Is it OK for the CDN to cache the csrf token? Would that be a likely configuration by default? Should we instead configure the CDN to forward the tokens back to the dispatcher, like we can do with cookies, query string parameters, etc. I'm wondering if cached content is vulnerable to the attacks the token aims to prevent?
Thanks for any info!
Solved! Go to Solution.
Views
Replies
Total Likes
Hi,
In that case you can cache csrf token at Akamai or block it at Akamai as making csrf call does not make any impact.
Hi,
Are you making anonymous call to publisher ? If so csrf token will be empty and no need to pass to dispatcher, it can be cached in CDN or can be blocked.
For more information: https://experienceleague.adobe.com/docs/experience-manager-65/developing/introduction/csrf-protectio...
Hi Ravi,
I believe all of the calls are anonymous, we're not doing any authenticated content on the publish/dispatcher side. Some forms may be submitted, but nothing is submitted back to AEM. Thanks for your input.
Hi,
In that case you can cache csrf token at Akamai or block it at Akamai as making csrf call does not make any impact.