function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
alsinan nazimalsinan nazim 

CSRF Token in Apex API Code issue

Hi All,
We have an Apex webservice created for external applications to create/access Salesforce data. We are using OAuth based authentication with the help of a connected app. In a recent security assessment, the team pointed out that the request does not contain an anti-CSRF token. They have raised this a high level finding. I assume that CSRF is only required when we develop applications with Visualforce/Forms. and in this case we only has the server side Apex logic implemented. In the response, they are getting CSRF token as null, when we try the request using postman.

Any thoughts and help would be much appreciated.

SwethaSwetha (Salesforce Developers) 
HI Alsinan ,
If the anti-csrf token is missing request body when the user submits the form or anti-csrf token is changed, the server will not validate the request and raise an error as invalid token
Recommend you to follow the coding guidelines mentioned in https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_req_forgery.htm

See Related: https://blog.insiderattack.net/anti-csrf-tokens-to-prevent-cross-site-request-forgery-csrf-79b9d7a5c079

If this information helps, please mark the answer as best.Thank you
alsinan nazimalsinan nazim
Hi Shweta Many thanks for your reply. In fact, I have checked those links provided by you. Thank you. In our context we are exposing an endpoint in Salesforce so that the third person can make the call. They are testing the security level and they are trying to initiate call out to this endpoint by providing the correct information. The only thing is the response that they receive does not have a anti CSRF token. Ps: we are not using any Apex pages or forms in this context, we only use Apex code for automated actions.