Hi all,
in my current project we are thinking of a strategy to secure GET endpoints which are accessible by anonymous users. The goal is to have some kind of a unique temporary token that will be validated on the backend, so that it is more difficult to hit the endpoint with no limitation. I am looking for a code-side solution, and not firewall rules which are already in place.
My initial idea was to extend CSRF protection to these GET endpoints, however according to the CSRF documentation, these tokens cannot be generated by anonymous users: The CSRF Protection Framework | Adobe Experience Manager
And indeed, if I hit /libs/granite/csrf/token.json as anonymous user, I can see an empty response.
Is there a way to enable generation of CSRF tokens for anonymous users too? If yes, do you see any potential security issues related to exposing the CSRF generator to anonymous users?
Views
Replies
Total Likes
Hi,
No, you cannot generate CSRF tokens for publishers. I don't fully understand what you are trying to accomplish, so perhaps you could elaborate a bit more. If you're looking to secure some endpoints for a specific set of users, you might consider exploring CORS, Basic Authentication, OAuth2, or even simply checking a header or cookie with a temporary token.
I hope this helps!
@MateuszRa may be think of keeping your endpoint behind the API gate way and let the gateway do access/validation/ etc part and then route the request to actual API
@MateuszRa Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies