Protecting against CSRF in Drupal

anonymous · August 29, 2017, 9:35am

Apigee supply a custom Drupal module for the Developer Portal. Can you provide an assurance that the functionality within this module or set of modules is protected against Cross-site request forgery (CSRF or XSRF).

For example, the Drupal Form API provides protection against CSRF using special tokens in the forms which are added automatically. If a module uses the Form API for all requests that modify data and if you properly follow the Form API documentation then the module is protected from CSRF.

anonymous · August 30, 2017, 7:23pm

Yes, correct - Apigee devconnect modules use the Drupal Form API according to the documentation, and those Apigee devconnect modules therefore benefit from the CSRF protection that is builtin to Drupal.

If you would like to confirm this, use your browser’s builtin “Developer tools”. You should be able to examine the form contents for any devconnect form, and see the anti-CSRF measures (token and ID fields) that Drupal injects automatically.

Topic		Replies	Views
Better Captcha for the Drupal developer portal? Apigee developer-portal	2	1	February 21, 2017
Session management on developer portal Apigee developer-portal	2	1	November 13, 2015
Why companies are not interested to use Drupal developer portal? Apigee developer-portal	5	4	May 17, 2021

Protecting against CSRF in Drupal

AI Suggested topics