Cross-Site Request Forgery (CSRF) is a type of vulnerability in web application, in which an attacker gets a user to visit a link in a browser that is already logged into an application. The user may not be aware of what the browser is sending to the server, but the server trusts the request because the user was authenticated.

These kinds of attacks can be defeated by including a token in the request which is known to the server, but not to the attacker.


LabKey Server implements CSRF protection by annotating Action subclasses with @CSRF. Forms that do an HTTP POST to those actions should include the <labkey:csrf /> tag, which renders an <input> into the form that includes the CSRF token:

<input type=hidden name="X-LABKEY-CSRF" value="XXXX" />

The actual value will be a GUID, associated with that user and the current HTTP session. Alternatively, the CSRF token value can be sent as an HTTP header named "X-LABKEY-CSRF".

LabKey's client APIs, including our Java and JavaScript libraries, automatically set the CSRF HTTP header to ensure that their requests are trusted.

Current Protection

LabKey Server currently guards against CSRF for all key security, permission, and container operations. It is also automatically applied to all actions that require site admin or folder admin permissions.

However, not all actions that cause application state changes are currently protected. We will continue to increase the number and percentage of all actions that are protected, being mindful of potential backward compatibility concerns with applications that may be hitting URLs directly without using the standard client API libraries. Actions that require administrator access (site or folder level) are generally of the highest priority.

NOTE, it is important that session or database state is not affected by GET requests. CSRF is only used to protect POST methods.

What you need to do

  • In a JSP use <labkey:form> instead of <form>, or include <labkey:csrf /> inside of your <form>.
  • Ext.Ajax, this is handled already. see ext-patches.js
  • Ext.form.Panel add this to your items array: {xtype: 'hidden', name: 'X-LABKEY-CSRF', value: LABKEY.CSRF}
  • GWT service endpoint, this is already handle for you. see ServiceUtil.configureEndpoint()

Related Topics


expand all collapse all