dw.web
Class CSRFProtection
dw.web.CSRFProtection
Used to generate and validate CSRF tokens. CSRFProtection allows
applications to protect themselves against CSRF attacks, using
synchronizer tokens, a best practice. Once created, these tokens
are tied to a userβs session and valid for 60 minutes.
Usage:
Adding CSRF token to forms:
//CSRF token generation <form ... action="Then, in scripts call:"> <input name="foo" value="bar"> <input name="${dw.web.CSRFProtection.getTokenName()}" value="${dw.web.CSRFProtection.generateToken()"> </form>
dw.web.CSRFProtection.validateRequest();
Properties
tokenName
:
String
(Read Only)
The system generated CSRF token name. Currently, this name is not user configurable. Must be used for
validateRequest() to work
Constructor Summary
This class does not have a constructor, so you cannot create it directly.
Method Summary
static generateToken()
:
String
Constructs a new unique CSRF token for this session.
static getTokenName()
:
String
Returns the system generated CSRF token name.
static validateRequest()
:
boolean
Verifies that a client request contains a valid CSRF token, and that the token has not expired.
Methods inherited from class
Object
assign, create, create, defineProperties, defineProperty, entries, freeze, fromEntries, getOwnPropertyDescriptor, getOwnPropertyNames, getOwnPropertySymbols, getPrototypeOf, hasOwnProperty, is, isExtensible, isFrozen, isPrototypeOf, isSealed, keys, preventExtensions, propertyIsEnumerable, seal, setPrototypeOf, toLocaleString, toString, valueOf, values
Method Detail
generateToken
static generateToken()
:
String
Constructs a new unique CSRF token for this session.
Returns:
a new CSRF token
getTokenName
static getTokenName()
:
String
Returns the system generated CSRF token name. Currently, this name is not user configurable. Must be used for
validateRequest() to work
Returns:
System-generated CSRF token parameter name