+ Start a Discussion
SurpriseSurprise 

CSRF

Hi,

 

We have tons of VF pages in salesforce and now see some security update.How should I use this security update.We have pages and then salesforce portal which is accessible to outside public.Now am I suppose to make changes to all the pages as some pages are accessed by the company salesforce internal users and some are accessible to the outside public on the portal .If that is the case then I have to create a form on each and every page with hidden form field and some characters stored in it .Now can somebody please tell me how these characters will me matched.

 

Or

 

This thing has to be done only on the pages which form created on the page.Can somebdy please advise?

 

 

 

Anti-CSRF token

 

 

 

 

 

 

Salesforce.com has implemented an anti-CSRF token to prevent Cross Site Request Forgery attacks.

Turning on these preferences ensures that non-setup pages include a random string of characters in the URL parameters or as a hidden form field.

Upon GET and POST requests, the application checks the validity of this string of characters and does not execute the command unless the value matches the expected value.

Salesforce.com enabled validation checks for CSRF tokens in the Summer '10 release.

sfdcfoxsfdcfox
CSRF tokens only need to be used for pages that perform some permanent action on page load (such as creating, updating, or deleting a record); you can use it on other pages to prevent deep-linking to the page (e.g. a link in an email will not load the page without confirmation).

Enabling this feature on the page automatically handles the mechanism for you. You do not need to create a form or specifically check for any tokens in your own code. The platform handles this validation on your behalf.

For a page that is enabled with CSRF protection, and does not include a CSRF token, the user will be asked to click a button to confirm their action. This prevents frame injection, resource injections, and so on.