How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do Identity Cloud and IDM (All versions) protect against CSRF attacks?

Last updated Mar 3, 2022

The purpose of this article is to provide information on how ForgeRock Identity Cloud and IDM protects against Cross Site Request Forgery (CSRF) attacks.

2 readers recommend this article

CSRF attacks

CSRF attacks attempt to make an authenticated user execute malicious functionality unknowingly; this is achieved by including a link or script in a page that accesses a site to which the user is authenticated.

It is important to understand that although CSRF attacks can execute functionality, they cannot interact with the response from the targeted server. Therefore, CSRF attacks make changes, such as transferring funds out of a bank account or changing a user's password but cannot steal data.

Protecting against CSRF attacks

Identity Cloud and IDM defend against CSRF attacks by requiring a custom HTTP header for update REST requests (POST, PUT and DELETE); the built-in read requests (GET) don't require this custom HTTP header as they don't make changes to the repository and the response from a GET request is unavailable to a CSRF attacker. This is in line with the NSA guidelines.

Identity Cloud and IDM check that one of the following custom HTTP headers are present when processing update REST requests:

  • X-Requested-With or x-requested-with - these headers are typically used with AJAX requests, such as ones originating from JQuery. These headers protect against CSRF attacks because they cannot be added to an AJAX request cross domain without using Cross-Origin Resource Sharing (CORS). CORS is a W3C specification that allows cross-domain communication to happen in a similar way to same-domain requests, however, your servers must be configured to allow CORS.
  • Authorization or authorization - these basic authorization headers are provided for convenience when using Curl commands and authenticate the user.
  • X-OpenIDM-Username or x-openidm-username - these custom authorization headers are specific to IDM and authenticate the user.
  • Accept-API-Version - this header specifies which version of the REST API to use.

If a REST endpoint in Identity Cloud or IDM receives an update request without one of these custom HTTP headers, it is dropped; thereby preventing any potential CSRF attacks.

Custom request headers can only be set by an XHR-type request. They cannot be set by simple GET and POST requests from HTTP forms and embedded resources.


If you build any functionality with custom endpoints, you should ensure that all GET requests are also read-only in line with the standard GET requests in Identity Cloud and IDM to prevent them being able to make changes. If you choose not to follow this standard, you should ensure you implement your own protections against CSRF attacks. See Custom Endpoint Scripts for further information.

See Also

NSA Guidelines for Implementation of REST

Security Guide

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.