Cross-Site Request Forgery
  • 14 Jun 2022
  • 1 Minute to read
  • Dark
    Light

Cross-Site Request Forgery

  • Dark
    Light

Cross-Site Request Forgery (CSRF) is a type of exploit that allows attackers to perform unauthorized actions on behalf of a user that the web application trusts. For example, if you are logged into Sisense, and open another web page or email provided by the attacker, this can allow the attacker to exploit your authenticated session in Sisense and perform unwanted actions.

Note:
  • CSRF security hardening protection is enabled by default as of version L2021.5.0 (and later).
  • When CSRF is enabled in Sisense, add the parent domain to the Embedded Domain White List (Admin tab > Security Settings) to use SisenseJS and/or Sisense Mobile.

If Cross-Site Request Forgery (CSRF) is turned on, a request from your add-on to the Sisense API could return a '403 Forbidden' error. To continue working with the Sisense API with the new restrictions, Sisense implemented a new service called 'httpCommunicateService'. Every add-on that makes HTTP requests to the Sisense API should use the 'httpCommunicateService' service when CSRF Protection is enabled. This service lets you make requests to the server with updated headers. Below are several examples of how you can use the service in your add-ons.

Add to your add-on one of the files httpCommunicate service (three versions are attached: as angular service ES5, as angular service ES6, and pure js ES6 way).

For Angular

  1. Download the relevant file and include it with your add-on:
2. Import the file with the following command:

ES5

import { httpCommunicate } from './httpCommunicate.6'; 

ES6

import { httpCommunicate } from './httpCommunicate.5'; 

In your add-on, you can create an object, for example:

const config = { url: '/api/groups', method: 'GET', data: {} }; 

and then use the object in functions:

httpCommunicate(config); 

or as an Angular service:

$httpCommunicateService.httpCommunicate(config);

For JavaScript

  1. Download the relevant file and include it with your add-on:
  2. Import the file with the following command:
import { httpCommunicate } from './httpCommunicate.5';

In your add-on, you can create an object, for example:

const config = {type:"GET", url: '/api/groups', data: {},success: (data) => {}, error: (err) => {} };

and then use the object in functions:

$httpCommunicateService.httpCommunicate(config, true); 

or as an Angular service:

httpCommunicate(config, true);

Was this article helpful?