Protect Against CSRF Attacks
To help protect against Cross-Site Request Forgery (CSRF) attacks on social web services, App Studio can ensure that all requests are tokenized. That is, each request is provided with a randomized Appkit request token.
-
If it does not already exist, create a new file named
csrf.conf
and place it insrc/main/resources/conf/security
. -
In that file, set the property
enabled
totrue
. This tokenizes the requests. -
By default, the time-to-live of the Appkit request token is 60 minutes. You can change this by setting the property
duration
to some other value; for example,duration: 30
. Responses received without a request token or with a request token has expired are rejected.
This configuration enables protection against CSRF attacks and sets the time-to-live of the request token to 30 minutes:
enabled: true
duration: 30