Configuring applications in WSO2 product to mitigate CSRF attacks
The following configurations are enabled by default for applications built into all WSO2 products that are Before you begin, note the following:
the following only for the following:
- If your WSO2 product is based on Carbon 4.4.6 or a later version, the configurations for mitigating CSRF attacks are enabled by default for all the applications that are built into the product. Therefore, you need to apply
- All applications in WSO2 products, which are manually, only if you have any custom applications deployed in your product.
If your WSO2 product is based on a Carbon version prior to version 4.4.6.Custom applications deployed in WSO2 products, which are based on a Carbon 4.4.6 or a later version
, the configurations for mitigating CSRF attacks should be applied to all applications manually.
- Important! Some updates of JDK 1.8 (for example, JDK1.8.0_151) are affected by a known issue related to GZIP decoding, which may prevent these CSRF-related configurations from working for your product. Therefore, until this issue is fixed, we recommend one of the following approaches:
- Be sure that your product is running on JDK1.8.0_144 or JDK1.8.0_077. We have verified that these JDK versions are not affected by the known issue.
- Alternatively, you can disable GZIP decoding for your product by following the steps given below. This will ensure that your product is not affected by the known issue.
- Open the
catalina-server.xml file from the
compression parameter (under each of the connector configurations) to false as shown below:
- Restart the server.
See the following for instructions on manually updating CSRF configurations in WSO2 products: