Cross Site Request Forgery (CSRF) Protection
The Anybus CompactCom web server uses a token based authentication system, where the authentication token is stored in a cookie (wto). Token based systems are prone to “Cross Site Request Forgery” (CSRF) attacks.
In order to protect against CSRF attacks, the web server will always set a cookie named “csrf” which will be stored in the browser. Each request, submitting data which will have a state changing effect on the Anybus CompactCom, needs to read the value of the cookie and include it as a parameter named “csrf” in the request. The Anybus CompactCom module will only accept the request if the value in the csrf parameter matches the value in the csrf cookie. For a complete list of which API functions that are state changing see Supported JSON functions.
This means that users creating web pages submitting state changing requests must handle this. This could for example be done by adding a hidden HTML input named “csrf” to every submitted HTML form. At submission of the HTML form, using Javascript, the value of the csrf input shall be populated with the data read from the csrf cookie.