Script: Class dw.web.CSRFProtection
Class CSRFProtection
- Object
- dw.web.CSRFProtection
Used to generate and validate CSRF tokens. CSRFProtection allows applications to protect themselves against CSRF attacks, using synchronizer tokens, a best practice. Once created, these tokens are tied to a user’s session and valid for 60 minutes.
Usage:
Adding CSRF token to forms:
//CSRF token generation <form ... action=""> <input name="foo" value="bar"> <input name="${dw.web.CSRFProtection.getTokenName()}" value="${dw.web.CSRFProtection.generateToken()"> </form>
Then, in scripts call:
dw.web.CSRFProtection.validateRequest();
Properties
tokenName : String Read Only
The system generated CSRF token name. Currently, this name is not user configurable. Must be used for validateRequest() to work
Constructor Summary
This class does not have a constructor, so you cannot create it directly.
Method Summary
static generateToken() : String
Constructs a new unique CSRF token for this session.
static getTokenName() : String
Returns the system generated CSRF token name.
static validateRequest() : boolean
Verifies that a client request contains a valid CSRF token, and that the token has not expired.
Methods inherited from class Object
assign, create, create, defineProperties, defineProperty, entries, freeze, fromEntries, getOwnPropertyDescriptor, getOwnPropertyNames, getOwnPropertySymbols, getPrototypeOf, hasOwnProperty, is, isExtensible, isFrozen, isPrototypeOf, isSealed, keys, preventExtensions, propertyIsEnumerable, seal, setPrototypeOf, toLocaleString, toString, valueOf, values
Method Detail
generateToken
static generateToken() : String
Constructs a new unique CSRF token for this session.
Returns:
a new CSRF token
getTokenName
static getTokenName() : String
Returns the system generated CSRF token name. Currently, this name is not user configurable. Must be used for validateRequest() to work
Returns:
System-generated CSRF token parameter name
validateRequest
static validateRequest() : boolean
Verifies that a client request contains a valid CSRF token, and that the token has not expired. Returns true if these conditions are met, and false otherwise
Returns:
true if request contains a valid CSRF token, false otherwise