Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
Read More.
SOLVED

CSRF token is empty in 6.3 publisher for anonymous user

Avatar

Level 1
Level 1
10/10/18 3:35:40 AM

In the anonymous user POST calls, i want to enable the CSRF token. However its empty, {} in the publish instance of AEM 6.3. I have added the configurations mentioned in the below link, but it is not working.

Adobe Experience Manager Help | Understanding Cross-Origin Resource Sharing (CORS) with AEM

Can anyone suggest what might be wrong?

Views

571

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
5/21/24 3:56:46 AM

CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.

 

https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...

 

aanchalsikka_0-1716288984894.png

 

However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...

Aanchal Sikka

View solution in original post

Views

88

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Community Advisor
Community Advisor
5/21/24 3:56:46 AM

CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.

 

https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...

 

aanchalsikka_0-1716288984894.png

 

However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...

Aanchal Sikka

Views

89

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Custom implementation for RemoteContentRendererRequestHandler

Views

35

Likes

0

Replies

0
How to validate if dispatcher is caching aem content - AEMaaCS

Views

123

Likes

0

Replies

6
What are the best strategies for preparing for the AD3-D104 exam, and which platform offers the most effective study materials?

Views

32

Likes

0

Replies

0
How can I prepare for the AD0-D106 exam, and good resource for practice questions?

Views

33

Likes

0

Replies

0
How can I effectively prepare for the AD0-C101 (Adobe Experience Manager Sites Business Practitioner) exam?

Views

53

Likes

0

Replies

1