Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleRecommendation

Digizuite is recommended to have CSRF setup in order to protect against CSRF (Cross Site Request forgery) attacks. 


Info
titleInfo

What is a CSRF attack?

The DAM Center's server validates the user making the request by using a session, which is created when the user logs in.

A user's session is identified by an ASP.NET session cookie. 

A malicious website may impersonate the user by making a request to the API. Such a request will also contain the ASP.NET session cookie, which makes the server believe that it's the authenticated user making the request. 

Without CSRF protection, such a request will succeed.

How does CSRF protection work?

When the user logs in, the API returns a CSRF cookie and a CSRF token.

When subsequent requests are mode, the CSRF token is added to the HTTP(S)'s request's headers. The API will then validate the CSRF cookie and CSRF token. 

The "protection" works because a malicious website will not have access to the CSRF token, so even if the ASP.NET session cookie is sent, the CSRF validation will fail, and the request will not succeed.

...