Cross-Site Request Forgery (CSRF) is an exploit where the attacker impersonates a valid user session to gain information or perform actions. In JasperReports Server, the security framework protects every page with a CSRF token in the post header, for example:
JASPER_CSRF_TOKEN: BVSY-UBBJ-K8E9-L4NZ-5866-Z4P2-ZG75-KKBW-U53Z-I833-V0OJ-BRK5-OFG5-ZL6X
In the default configuration of the server, CSRF prevention is active. We recommend leaving this setting unchanged:
CSRF Prevention | ||
Configuration File | ||
.../WEB-INF/classes/esapi/security-config.properties | ||
Property | Value | Description |
security.validation.csrf.on | true <default> | Turns CSRF prevention on or off. By default, CSRF prevention is on. Any other value besides case-insensitive “false” is equivalent to true. |
Recommended Comments
There are no comments to display.