Solved: Protecting against CSRF in Drupal

Report Inappropriate Content · 08-29-2017 02:35 AM

Apigee supply a custom Drupal module for the Developer Portal. Can you provide an assurance that the functionality within this module or set of modules is protected against Cross-site request forgery (CSRF or XSRF).

For example, the Drupal Form API provides protection against CSRF using special tokens in the forms which are added automatically. If a module uses the Form API for all requests that modify data and if you properly follow the Form API documentation then the module is protected from CSRF.

DChiesa

Yes, correct - Apigee devconnect modules use the Drupal Form API according to the documentation, and those Apigee devconnect modules therefore benefit from the CSRF protection that is builtin to Drupal.

If you would like to confirm this, use your browser's builtin "Developer tools". You should be able to examine the form contents for any devconnect form, and see the anti-CSRF measures (token and ID fields) that Drupal injects automatically.

View solution in original post

DChiesa

Yes, correct - Apigee devconnect modules use the Drupal Form API according to the documentation, and those Apigee devconnect modules therefore benefit from the CSRF protection that is builtin to Drupal.

If you would like to confirm this, use your browser's builtin "Developer tools". You should be able to examine the form contents for any devconnect form, and see the anti-CSRF measures (token and ID fields) that Drupal injects automatically.