Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

CSRF token is empty in 6.3 publisher for anonymous user

Avatar

Level 1
Level 1
10/10/18 3:35:40 AM

In the anonymous user POST calls, i want to enable the CSRF token. However its empty, {} in the publish instance of AEM 6.3. I have added the configurations mentioned in the below link, but it is not working.

Adobe Experience Manager Help | Understanding Cross-Origin Resource Sharing (CORS) with AEM

Can anyone suggest what might be wrong?

Views

613

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
5/21/24 3:56:46 AM

CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.

 

https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...

 

aanchalsikka_0-1716288984894.png

 

However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...

Aanchal Sikka

View solution in original post

Views

130

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Community Advisor
Community Advisor
5/21/24 3:56:46 AM

CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.

 

https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...

 

aanchalsikka_0-1716288984894.png

 

However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...

Aanchal Sikka

Views

131

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Richtext data type not working in Content Fragment Model Solved

Views

96

Likes

0

Replies

1
Optimizing Daily API Calls in AEM: A Better Solution? Solved

Views

148

Likes

0

Replies

5
Replication Event Listener stopped working on AEMaaCS Publisher

Views

89

Likes

0

Replies

4
RTE full options not appearing in minimized view AEM 6.5 cloud

Views

35

Likes

0

Replies

0
Serve Images in Next-Gen Format i.e in WebP and AVIF

Views

96

Likes

0

Replies

2