Details
-
New Feature
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
None
-
None
-
None
Description
CSRF prevention for REST APIs can be provided through a common servlet filter. This filter would check for the existence of an custom HTTP header - such as X-XSRF-Header.
The fact that CSRF attacks are entirely browser based means that the above approach can ensure that requests are coming from either: applications served by the same origin as the REST API or that there is explicit policy configuration that allows the setting of a header on XmlHttpRequest from another origin.
We have done similar work for Hadoop (https://issues.apache.org/jira/browse/HADOOP-12691) and other components.
Attachments
Issue Links
- relates to
-
HADOOP-12691 Add CSRF Filter for REST APIs to Hadoop Common
- Resolved
- links to