CSRF defense

To defend against CSRF attacks, the BPC generates a CSRF token for the user at every login. This must be transmitted with every call to the API (except GET calls) via the HTTP header X-Csrf-Token or the URL Parameters X-Csrf-Token.

The BPC automatically adds this to AJAX calls via the ExtJS framework.

Manually set the CSRF token

If AJAX calls are not made via ExtJS, the header can be set yourself.

The API function BpcCommon.Api.getCsrfToken() returns an object for this that contains the required token in the X-Csrf-Token attribute.

Example of setting the CSRF header in the vanilla JavaScript AJAX call
function reqListener () {
    console.log(this.responseText);
}

const req = new XMLHttpRequest();
req.addEventListener("load", reqListener);
req.open("POST", "cxf/bpc-httpproxy/httpProxy/1647604124866");
req.setRequestHeader(
    "X-Csrf-Token",
    BpcCommon.Api.getCsrfToken()["X-Csrf-Token"]
  );
req.send();

Prevent automatic CSRF token

If the BPC should not automatically transmit the CSRF token, this can be achieved in the connection parameters via the flag disableBpcProcessing: true.

Example
  Ext.create("Ext.data.Store", {
    proxy : {
         type        : "ajax",
         url         : "/url",
         extraParams : {
            disableBpcProcessing : true
         }
    }
});
Keywords:
Press Esc to exit full screen
Modal image placeholder
Press Esc to exit full screen