Difference between revisions of "ADF AjaxProxy CSRF Safe Mode"
Gcronkright (talk | contribs) |
Gcronkright (talk | contribs) (→How to Enable CSRF Safe Mode) |
||
Line 10: | Line 10: | ||
enableADFcsrfSafeMode(true); | enableADFcsrfSafeMode(true); | ||
− | + | * For a new ADF installs, update the "enableADFcsrfSafeMode" line found in your site's '/_cs_apps/ADF.cfc' file, from "false" to "true" (see above). | |
=== Update Custom Local AjaxProxy Requests === | === Update Custom Local AjaxProxy Requests === |
Revision as of 15:17, 3 March 2020
IMPORTANT: This feature requires ADF 2.5 or above and CommonSpot 10.6.1 or 10.5.2 or above.
Enable the CSRF Safe Mode for local ajaxProxy requests
ADF 2.5's new security enhancement, "ajaxProxy CSRF Safe Mode" is disabled by default. This allows developers an opportunity to update their ADF and ADF App ajaxProxy related customizations, before enabling the CSRF attack prevention validation.
If your site is only using out of the box ADF and ADF Applications then you should enable the "ajaxProxy CSRF Safe Mode" immediately install or an upgrade.
How to Enable CSRF Safe Mode
- In your ADF.cfc in the /_cs_apps/ folder in your site root, add the following line:
enableADFcsrfSafeMode(true);
- For a new ADF installs, update the "enableADFcsrfSafeMode" line found in your site's '/_cs_apps/ADF.cfc' file, from "false" to "true" (see above).
Update Custom Local AjaxProxy Requests
If your site has custom code which uses the ADF's ajaxProxy for local requests, before you can enable "ajaxProxy CSRF Safe Mode" using the steps above, you will need to add the CSRF_Token parameter and the method call. Adding this extra parameter to the request will get the CSRF_token session token which is know by the server.
When the "ajaxProxy CSRF Safe Mode" is enabled, the CSRF token key/value pair is required when making local AjaxProxy requests along with your the other request parameters either as a Data or URL parameter, otherwise your ajaxProxy requests will not validate and fail.
CSRF_Token as a Data parameter (using a jQuery.post):
jQuery.post("#application.ADF.ajaxProxy#",
{
bean: 'dataService',
method: 'getData',
CSRF_Token: '#application.ADF.csSecurity.getCSRF_Token()#'
}
CSRF_Token as a URL parameter (using a jQuery.get):
jQuery.get("#application.ADF.ajaxProxy#?bean=dataService&method=getData&CSRF_Token=#application.ADF.csSecurity.getCSRF_Token()#")
WARNING: Enabling the "CSRF Safe Mode" without using the ADF 2.5 ready Apps or updating custom ajaxProxy local requests will limit functionality!