Print this page

CSRF Protection on GET and POST requests

Knowledge Article Number 000230653
Description
To protect against cross site request forgeries, take advantage of the new default CSRF settings to improve organizational security. These two settings are enabled by default for all organizations since Spring '14:
  • Enable CSRF protection on GET requests on non-setup pages: Protects against Cross Site Request Forgery (CSRF) attacks by modifying non-setup pages to include a random string of characters in the URL parameters or as a hidden form field.
  • Enable CSRF protection on POST requests on non-setup pages: Protects against CSRF attacks by modifying non-setup pages to include a random string of characters in the URL parameters or as a hidden form field.
Resolution How do these settings improve organizational security?
Protects against Cross Site Request Forgery (CSRF) attacks by modifying non-setup pages to include a random string of characters in the URL parameters or as a hidden form field. With every GET and POST request, the application checks the validity of this string of characters and doesn’t execute the command unless the value found matches the expected value.This setting is selected by default for all organizations.

Alternatively, customer with business justification can have these options disabled by contacting Salesforce Support.

Related Articles:
Modify Session Security Settings
Secure Coding Cross Site Request Forgery
Cross-Site Request Forgery (CSRF)




promote demote