Cross-Site Request Forgery (CSRF) Protection

AM includes a global filter to harden AM's protection against CSRF attacks. The filter applies to all REST endpoints under json/ and requires that all requests other than GET, HEAD, or OPTIONS include, at least, one of the following headers:

  • X-Requested-With

    This header is often sent by Javascript frameworks, and the UI already sends it on all requests.

  • Accept-API-Version

    This header specifies which version of the REST API to use. Use this header in your requests to ensure future changes to the API do not affect your clients.

    For more information about API versioning, see REST API Versioning.

Failure to include at least one of the headers causes the REST call to fail with a 403 Forbidden error, even if the SSO token is valid.


The CSRF filter applies only when the request includes the SSO token in the session cookie (iPlanetDirectoryPro by default).

To disable the filter, go to Configure > Global Services > REST APIs > and turn off Enable CSRF Protection.

The json/ endpoint is not vulnerable to CSRF attacks when the filter is disabled, since it requires the "Content-Type: application/json" header, which currently triggers the same protection in browsers. This may change in the future, so it is recommended to enable the CSRF filter.

Read a different version of :