Skip to main content


Protecting OutSystems apps from Cross Site Request Forgery attacks



Protecting OutSystems apps from Cross Site Request Forgery attacks

OutSystems has built-in protection against CSRF attacks for POST requests since version 9.1.400.0.

Refer to this page only if you are using a previous version.

With the Cross Site Request Forgery (CSRF) method, attackers are able to make requests to your application from another site:

  • GET request
    • hidden image
    • bad link
  • POST request
    • bad form

A common usage is tricking users and capturing unintended likes in social networking sites.

The following example illustrates how a CSRF attack can trick a user, that has not logged out from a vulnerable website, into clicking a trap link that executes a script or sends a fake POST request with the user's session ID:

How to do it with OutSystems Platform

To secure your OutSystems apps against CSRF attacks, the following actions are recommended:

Use case Actions

Perform GET requests

  • Don’t run actions in Preparation.
  • When designing your REST API, don't use cookies.
Perform POST requests

More information

To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems Platfom helps you develop secure applications.