Skip to main content





Protecting OutSystems apps from Cross Site Request Forgery attacks

  • Edit
    Collaborate with us
    Edit this page on GitHub
  • Cross-site request forgery (CSRF) is a web security vulnerability used to induce users to perform unintended actions. The following example illustrates how a CSRF attack can trick a user, that hasn't logged out from a vulnerable website, into clicking a trap link that executes a script or sends a fake POST request with the user's session ID:

    Example of a CSRF attack

    With the CSRF method, attackers are able to make requests to your application from another site using, for example:

    • Hidden image performing a GET request
    • Link performing a GET request
    • Malicious form performing a POST request
    • On load actions that perform a POST request

    OutSystems built-in protection

    The most robust and generic form of CSRF protection is to perform server-side validation. It consists in including an anti-CSRF token, known as Token Based Mitigation, within every or relevant requests:

    • For traditional web applications the view state is signed with the osVisitor cookie. When performing requests (submit or ajax), the view state signature is matched against the osVisitor. Find the osVisitor definition in this article.
    • For reactive web applications the X-CSRFToken is extracted from the nr2<user> cookie, and sent as a header on following requests. Find detailed information about nr2<user> in this article.

    How to prevent CSRF attacks when developing APIs

    With OutSystems, the development of APIs is entirely in the responsibility of the developer. APIs don't include anti-CSRF tokens by default. To secure your OutSystems APIs against CSRF attacks, we recommend the following actions:

    Use case Actions
    Perform GET requests
    • Don't run actions in the Preparation.
    • When designing your REST API, don't use cookies.
    Perform POST requests