CSRF Token Protection

Overview

Effective Suite Admin 5.0.1, Cisco provides CSRF protection for all API calls.

When an API call is made by you or the CloudCenter Suite, be aware that a CSRF token is required for the following scenarios:

  • If the request method is POST, PUT, or DELETE
    and

  • If the request Content-Type is not application/json

For example, the following functions require the CSRF token:

  • Suite Admin Resource Management Service API Calls that use the following functions:

    • Company logo upload

    • User avatar upload

  • Workload Manager API Calls that use the following functions

    • Application profiles

    • Logo upload

    • Services logo upload

    • Import applications

    • Cloud account management API calls

    • DELETE calls that change the database contents

The 403 Forbidden Error for Some APIs

If the CSRF token is missing or incorrect, you will see a 403 error due to the CSRF token protection.

If you see this error, you must first set the CSRF token in the request header for the affected API.

Setting the CSRF Token

To set a CSRF token, add X-CSRF-TOKEN to the header name (case sensitive, all uppercase).

Retrieving the CSRF Token

To obtain the CSRF token, follow this procedure.

  1. You must first pass authentication. See API Authentication for details.

  2. Once authenticated, use one of the following APIs to retrieve the CSRF token from the response body (csrfToken attribute). See Authentication Service API Calls 5.0.0 for details.

    1. Login API (/suite-auth/login)

    2. Token Refresh API (/suite-auth/api/v1/token)

    3. CSRF Token API (/suite-auth/api/v1/csrfToken)

Using the CSRF Token

See the following request for examples of using a CSRF Token.

Java Rest Client Example
WebResource.Builder builder = webResource.type(MediaType.APPLICATION_JSON).header("X-CSRF-TOKEN", "<TOKEN>");
Python Example
headers = {'content-type': 'application/json', 'X-CSRF-TOKEN': '<TOKEN>'}

requests.delete(url, headers = headers, verify=False)

requests.post(url, json=jobJson, headers = headers, verify=False)

Where <TOKEN> is retrieved as specified in the Retrieving the CSRF Token section above.

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved