Hi @All,
I am working on the CSRF Token Validation from the Backend Server and we are using Outsystems which provides the CSRF token in the Headers and the nr2<User> Cookie.How can I validate this information on a stateless server ?Is it sufficient to match these two tokens to validation CSRF token ?If yes, how can a malicious user can't misuse it ?
Hi Arvind,
What are you trying to solve? The OutSystems platform already has built-in protection against CSRF attacks.
You don't need to implement anything specific for it to work.
https://success.outsystems.com/Support/Security/How_the_OutSystems_Platform_Helps_You_Develop_Secure_Applications/Protecting_OutSystems_apps_from_Cross_Site_Request_Forgery_attacks
Regards,
Daniel
Hi @Daniël Kuhlmann ,
We are using Our system as a Frontend App, and we are using java in Backend to develop Rest APIs.
So, do we need to check the above information in Java backend to protect from CSRF attacks ?
Thanks and Regards
Arvind
Since CSRF detection is a server-side problem, and since your server isn't running OutSystems software, I'd say your question is out of scope for this forum. There's plenty of information on-line about detection of CSRF for stateless interfaces (e.g. here), I'd suggest you go find that and implement something.
DISCLAIMER: the above is not solid security advise. If you are unsure how to secure a connection to your Java back-end, consult a security expert, and follow their recommendations. If you have no background in security, nor in-depth knowledge of the topics involved, you cannot design a secure interface.