Protect Against CSRF Attacks

To help protect against Cross-Site Request Forgery (CSRF) attacks on social web services, App Studio can ensure that all requests are tokenized. That is, each request is provided with a randomized Appkit request token.

To enable protection against CSRF in your application:
  1. If it does not already exist, create a new file named csrf.conf and place it under src/main/resources/conf/security.

  2. In that file, set the property enabled to true. This tokenizes the requests.

  3. By default, the time-to-live of the Appkit request token is 60 minutes. You can change this by setting the property duration to some other value; for example, duration: 30. Responses received without a request token or with a request token has expired are rejected.

This configuration enables protection against CSRF attacks and sets the time-to-live of the request token to 30 minutes:

enabled: true
duration: 30