CSRF attacks attempt to make an authenticated user execute malicious functionality unknowingly; this is achieved by including a link or script in a page that accesses a site to which the user is authenticated.
It is important to understand that although CSRF attacks can execute functionality, they cannot interact with the response from the targeted server. Therefore, CSRF attacks make changes, such as transferring funds out of a bank account or changing a user's password but cannot steal data.
Identity Cloud and IDM check that one of the following custom HTTP headers are present when processing update REST requests:
x-requested-with- these headers are typically used with AJAX requests, such as ones originating from JQuery. These headers protect against CSRF attacks because they cannot be added to an AJAX request cross domain without using Cross-Origin Resource Sharing (CORS). CORS is a W3C specification that allows cross-domain communication to happen in a similar way to same-domain requests, however, your servers must be configured to allow CORS.
authorization- these basic authorization headers are provided for convenience when using Curl commands and authenticate the user.
x-openidm-username- these custom authorization headers are specific to IDM and authenticate the user.
Accept-API-Version- this header specifies which version of the REST API to use.
If a REST endpoint in Identity Cloud or IDM receives an update request without one of these custom HTTP headers, it is dropped; thereby preventing any potential CSRF attacks.
Custom request headers can only be set by an XHR-type request. They cannot be set by simple GET and POST requests from HTTP forms and embedded resources.
If you build any functionality with custom endpoints, you should ensure that all GET requests are also read-only in line with the standard GET requests in Identity Cloud and IDM to prevent them being able to make changes. If you choose not to follow this standard, you should ensure you implement your own protections against CSRF attacks. See Custom Endpoint Scripts for further information.