Protect against CSRF attacks
AM includes a global filter to harden protection against cross-site request forgery (CSRF) attacks. The filter
applies to all REST endpoints under
json/. It requires that all requests, other than GET, HEAD, or OPTIONS, include at
least one of the following headers:
This header specifies which version of the REST API to use. Use this header in your requests to ensure future changes to the API do not affect your clients.
For more information about API versioning, see REST API versions.
Failure to include at least one of the headers causes the REST request to fail with a
403 Forbidden error, even if the
SSO token is valid.
The CSRF filter applies only when the request includes the SSO token in the session cookie (
To disable the CSRF filter, go to Configure > Global Services > REST APIs and turn off Enable CSRF Protection.
json/ endpoint is not vulnerable to CSRF attacks when the filter is disabled, because it requires the
Content-Type: application/json header, which currently triggers the same protection in browsers. This might change in
the future, however, so it is advisable to enable the CSRF filter.