You need to sign in to do that
Don't have an account?
CSRF Token in Apex API Code issue
Hi All,
We have an Apex webservice created for external applications to create/access Salesforce data. We are using OAuth based authentication with the help of a connected app. In a recent security assessment, the team pointed out that the request does not contain an anti-CSRF token. They have raised this a high level finding. I assume that CSRF is only required when we develop applications with Visualforce/Forms. and in this case we only has the server side Apex logic implemented. In the response, they are getting CSRF token as null, when we try the request using postman.
Any thoughts and help would be much appreciated.
If the anti-csrf token is missing request body when the user submits the form or anti-csrf token is changed, the server will not validate the request and raise an error as invalid token
Recommend you to follow the coding guidelines mentioned in https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_req_forgery.htm
See Related: https://blog.insiderattack.net/anti-csrf-tokens-to-prevent-cross-site-request-forgery-csrf-79b9d7a5c079
If this information helps, please mark the answer as best.Thank you