Skip to main content

 

Protecting OutSystems Apps From Cross Site Request Forgery Attacks

 

OutSystems

Protecting OutSystems Apps From Cross Site Request Forgery Attacks

OutSystems has built-in protection against CSRF attacks for POST requests since version 9.1.400.0.

Refer to this page only if you are using a previous version.

With the Cross Site Request Forgery (CSRF) method, attackers are able to make requests to your application from another site:

  • GET request

    • hidden image
    • bad link
  • POST request

    • bad form

A common usage is tricking users and capturing unintended likes in social networking sites.

The following example illustrates how a CSRF attack can trick a user, that has not logged out from a vulnerable website, into clicking a trap link that executes a script or sends a fake

Example of a CSRF attack

How to Do It With the OutSystems Platform

To secure your OutSystems apps against CSRF attacks, the following actions are recommended:

Use case Actions
Perform GET requests Don't run actions in the Preparation.

When designing your REST API, don't use cookies.
Perform POST requests Make sure there is a unique token in your request.

Validate against the expected value in the session