Expand my Community achievements bar.

Enable CSRF protection on GET requests for anonymous users

Avatar

Level 1
Level 1
9/27/24 3:30:10 AM

Hi all,

in my current project we are thinking of a strategy to secure GET endpoints which are accessible by anonymous users. The goal is to have some kind of a unique temporary token that will be validated on the backend, so that it is more difficult to hit the endpoint with no limitation. I am looking for a code-side solution, and not firewall rules which are already in place. 

 

My initial idea was to extend CSRF protection to these GET endpoints, however according to the CSRF documentation, these tokens cannot be generated by anonymous users: The CSRF Protection Framework | Adobe Experience Manager

And indeed, if I hit /libs/granite/csrf/token.json as anonymous user, I can see an empty response.

 

Is there a way to enable generation of CSRF tokens for anonymous users too? If yes, do you see any potential security issues related to exposing the CSRF generator to anonymous users?

Views

246

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
3 Replies

Avatar

Community Advisor
Community Advisor
9/27/24 11:29:04 AM

Hi, 

 

No, you cannot generate CSRF tokens for publishers. I don't fully understand what you are trying to accomplish, so perhaps you could elaborate a bit more. If you're looking to secure some endpoints for a specific set of users, you might consider exploring CORS, Basic Authentication, OAuth2, or even simply checking a header or cookie with a temporary token.

 

I hope this helps!


Esteban Bustamante

Views

195

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 8
Level 8
9/27/24 1:43:53 PM

@MateuszRa  may be think of keeping your endpoint  behind the API gate way and let the gateway do access/validation/ etc  part and then route the request to actual API

Views

191

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
10/9/24 2:51:14 AM

@MateuszRa Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!



Kautuk Sahni

Views

99

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Multifield Rollout in AEM 6.5.20.0 on-prem Solved

Views

98

Likes

0

Replies

3
How to Render the different version of Header for Specific Pages Using Experience Fragments in AEM?

Views

83

Likes

0

Replies

2
Way to remove the timestamp from the metadata field for expiry date

Views

118

Likes

0

Replies

4
I have a component based on show-hide in AEM. can any one help on this

Views

138

Likes

0

Replies

5
Regarding User Roles and Permissions API of Adobe commerce

Views

87

Likes

0

Replies

2