Cross-Site Request Forgery (CSRF) is an exploit where the attacker impersonates a valid user session to gain information or perform actions. In JasperReports Server, the security framework protects every page with a CSRF token in the post header, for example:
JASPER_CSRF_TOKEN: BVSY-UBBJ-K8E9-L4NZ-5866-Z4P2-ZG75-KKBW-U53Z-I833-V0OJ-BRK5-OFG5-ZL6X
In the default configuration of the server, CSRF prevention is active. We recommend leaving this setting unchanged:
|
CSRF Prevention |
||
|
Configuration File |
||
|
.../WEB-INF/classes/esapi/security-config.properties |
||
|
Property |
Value |
Description |
|
security.validation.csrf.on |
true <default> |
Turns CSRF prevention on or off. By default, CSRF prevention is on. Any other value besides case-insensitive “false” is equivalent to true. |
