Configuring CSRF Prevention

Cross-Site Request Forgery (CSRF) is an exploit where the attacker impersonates a valid user session to gain information or perform actions on behalf of the attacker. In JasperReports Server, the security framework protects all administration pages under the Manage menu with a CSRF token in the post header, for example:

JASPER_CSRF_TOKEN: BVSY-UBBJ-K8E9-L4NZ-5866-Z4P2-ZG75-KKBW-U53Z-I833-V0OJ-BRK5-OFG5-ZL6X

In the default configuration of the server, CSRF prevention active. Jaspersoft does not recommend changing this setting:

CSRF Prevention

Configuration File

…\WEB-INF\classes\esapi\security-config.properties

Property

Value

Description

security.validation.csrf.on

true <default>
false

Turns CSRF prevention on or off. By default, CSRF prevention is on. Any other value besides case-insensitive “false” is equivalent to true.

Version: 
Feedback
randomness