Protecting OutSystems apps from Cross Site Request Forgery attacks
Cross-site request forgery (CSRF) is a web security vulnerability used to induce users to perform unintended actions. The following example illustrates how a CSRF attack can trick a user, that hasn't logged out from a vulnerable website, into clicking a trap link that executes a script or sends a fake POST request with the user's session ID:
With the CSRF method, attackers are able to make requests to your application from another site using, for example:
- Hidden image performing a GET request
- Link performing a GET request
- Malicious form performing a POST request
- On load actions that perform a POST request
OutSystems built-in protection
The most robust and generic form of CSRF protection is to perform server-side validation. It consists in including an anti-CSRF token, known as Token Based Mitigation, within every or relevant requests:
- For traditional web applications the view state is signed with the osVisitor cookie. When performing requests (submit or ajax), the view state signature is matched against the osVisitor. Find the osVisitor definition in this article.
- For reactive web applications the X-CSRFToken is extracted from the nr2<user> cookie, and sent as a header on following requests. Find detailed information about nr2<user> in this article.
How to prevent CSRF attacks when developing APIs
With OutSystems, the development of APIs is entirely in the responsibility of the developer. APIs don't include anti-CSRF tokens by default. To secure your OutSystems APIs against CSRF attacks, we recommend the following actions:
| Use case | Actions |
|---|---|
| Perform GET requests |
|
| Perform POST requests |
|
More information
To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems helps you develop secure applications.