If the directory/file paths specified in this guide do not exist in your WSO2 product, see Directory Structure of WSO2 Products to locate the paths applicable to your product.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Before you begin, note the following:

  • If your WSO2 product is based on Carbon 4.4.6 or a later version, the configurations for mitigating CSRF attacks are enabled by default for all the applications that are built into the product. Therefore, you need to apply these configurations manually, only if you have any custom applications deployed in your product.
  • If your WSO2 product is based on a Carbon version prior to version 4.4.6, the configurations for mitigating CSRF attacks should be applied to all applications manually.

  • Important! If you are running on a JDK version that is not JDK1.8.0_144 or JDK1.8.0_077, there is a known issue related to GZIP decoding that may prevent these CSRF-related configurations from working for your product. Until this issue is fixed, we recommend one of the following approaches:
    • Be sure to use either JDK1.8.0_144 or JDK1.8.0_077 updates. We have verified that these versions are not affected by the known issue.
    • Alternatively, you can disable GZIP decoding for your product by following the steps given below. This will ensure that your product is not affected by the known issue.
      1. Open the catalina-server.xml file from the <PRODUCT_HOME>/repository/conf/tomcat/ directory.
      2. Set the compression parameter (under each of the connector configurations) to false as shown below:

        Code Block
        compression="off"
      3. Restart the server.

See the following for instructions on manually updating CSRF configurations in WSO2 products:

Table of Contents
maxLevel4
minLevel4

...