Exclude REST and FHIR2 from CSRF check

Wandji69 · May 31, 2022 · 5c98cc8 · 5c98cc8
1 parent ac68435
commit 5c98cc8
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/webapp/src/main/webapp/WEB-INF/csrfguard.properties b/webapp/src/main/webapp/WEB-INF/csrfguard.properties
@@ -217,6 +217,8 @@ org.owasp.csrfguard.Ajax = true
 # org.owasp.csrfguard.unprotected.Public = %servletContext%/Public/*
 org.owasp.csrfguard.unprotected.csrfguard = %servletContext%/csrfguard
 org.owasp.csrfguard.unprotected.Initialsetup = %servletContext%/initialsetup
+# /ws/ is the prefix used by the REST API and FHIR2
+org.owasp.csrfguard.unprotected.WS = %servletContext%/ws/*
 
 #
 # Regex example starts with ^ and ends with $, and the %servletContext% is evaluated before the regex:
@@ -495,4 +497,4 @@ org.owasp.csrfguard.PageTokenSynchronizationTolerance = 2000
 # Defaults to False.
 # Note: it is only enabled for the demo application, for testing purposes.
 #
-org.owasp.csrfguard.forceSynchronousAjax = false
+org.owasp.csrfguard.forceSynchronousAjax = false