OutSystems has built-in protection against CSRF attacks for POST requests since version 9.1.400.0.
Refer to this page only if you are using a previous version.
With the Cross Site Request Forgery (CSRF) method, attackers are able to make requests to your application from another site:
- hidden image
- bad link
- bad form
A common usage is tricking users and capturing unintended likes in social networking sites.
The following example illustrates how a CSRF attack can trick a user, that has not logged out from a vulnerable website, into clicking a trap link that executes a script or sends a fake
How to Do It With the OutSystems Platform
To secure your OutSystems apps against CSRF attacks, the following actions are recommended:
|Perform GET requests||Don't run actions in the Preparation.
|Perform POST requests||Make sure there is a unique token in your request.
Validate against the expected value in the session
To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems Platfom helps you develop secure applications.