CSRF

Attach to:

Cross-Site Request Forgery (CSRF) CSRF (Cross-Site Request Forgery) A security vulnerability where unauthorized commands are transmitted from a user that the web application trusts. Agentgateway can help protect against CSRF attacks. protection prevents malicious websites from making unauthorized requests to your application on behalf of authenticated users.

How it works

The CSRF policy implements a multi-layered validation approach to allow or block requests based on their properties.

CSRF protection is enforced by the server and blocks malicious cross-site requests before they reach your backend. Unlike CORS, CSRF protection works with all HTTP clients, not just browsers.

Allowed requests

Allowed requests are as follows.

Safe methods (GET, HEAD, OPTIONS) from any origin
Same-origin requests (Origin matches Host)
Requests from origins in additionalOrigins
Requests with Sec-Fetch-Site: same-origin or Sec-Fetch-Site: none

Blocked requests

Blocked requests, which receive a 403 Forbidden response with the message “CSRF validation failed”, are as follows.

Cross-site requests with Sec-Fetch-Site: cross-site (unless trusted)
Cross-site requests where Origin doesn’t match Host (unless trusted)
Malformed Origin headers in cross-site contexts

Configuration

Review the following example configuration.

policies:
  csrf:
    additionalOrigins:
      - "https://www.example.com"
      - "https://trusted.domain.com"

The additionalOrigins setting is a list of trusted origins allowed to make cross-site requests.

Format: "scheme://host[:port]"
Examples: "https://www.example.com", "http://localhost:3000"

For strict CSRF protection to prevent all cross-site requests, set additionalOrigins to an empty list.

...
policies:
  csrf:
    additionalOrigins: []

CORS HTTP authorization