LabKey Server has long-guarded against cross-site request forgery attacks (http://en.wikipedia.org/wiki/Cross-site_request_forgery) for key security, permission, and other site-level administration features.

In version 14.3, we are working to bolster our CSRF protection by expanding to cover many more actions. This should be transparent for users who are using all modules maintained by LabKey Software. It has potential impact on external scripts and modules developed by other groups though.

At the moment, all POST requests that require either folder or site administrator permissions now protect against CSRF. We plan to extend this to all POST requests in the future, though the schedule is not yet finalized. It is generally assumed that GET requests should not be modifying the application state in ways that need protection from CSRF.

We are working to ensure that our client APIs automatically include the CSRF token. However, externally run scripts that hit the server directly via HTTP (using CURL, WGET, etc) will need to supply a CSRF token for these actions or the request will be rejected.

Additionally, developers who are maintaining their own modules will need to ensure that they generate <form> elements that include the CSRF token. We have taken steps to include this automatically whenever possible, but cannot do so in all cases.

For more details, please see:

https://www.labkey.org/wiki/home/Documentation/page.view?name=csrfProtection

Please contact us (either by responding here, or through other means) with questions and concerns.

Thanks,
Josh