CSRF token is not generating when accessing live site pages[Dispatcher/AKAMAI]

Question

Hi All,Recently we have upgraded from AEM 6.0 to AEM 6.2.From 6.1 on wards there is a new security feature implemented and it's looks for csrf token generation when doing the ant POST,PUT and DELETE operation.I have observed one thing that token is generating when log-in into author and publish instances but this token is not generating when accessing live site pages through dispatcher or AKAMAI.We also made changes in dispatcher side to allow this token generation but still no new token is generating.What are the other changes required to generate the token?Thanks,Kishore.

Peter_Puzanovs · Accepted Answer

Hi Kishkore,Yes, you need to set Akamai for that path with rule DO_NOT_CACHE as well as configure Dispatcher to do not cache your CSRF tokens.Regards,Peter

aanchal-sikka · Answer

The CSRF token is not required for GET requests, or anonymous requests.

AEM requires a valid CSRF token to be sent for authenticated POST, __PUT, or DELETE HTTP requests to both AEM Author and Publish services.

For details: https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/developing/advanced/csrf-protection.html#:~:text=AEM%20requires%20a%20valid%20CSRF,GET%20requests%2C%20or%20anonymous%20requests.&text=See%20the%20documentation%20for%20more%20details%20on%20AEM's%20CSRF%20protection.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded