Tab – CSRF Tokens

Airlock Gateway supports automatic CSRF token injection and validation to protect sessions against CSRF (Cross-Site Request Forgery) attacks.

  • If CSRF tokens are enabled, Airlock Gateway adds a random CSRF token to responses delivered by back-ends before they are sent to the client.
  • Subsequent requests (form posts or AJAX requests) must include the CSRF token to be accepted except for the request types GET, HEAD, and OPTIONS.

If session-based URL encryption is enabled, sessions are already protected against CSRF except for URLs that have been configured as path exceptions. A common reason for URL path exceptions is URLs that are dynamically generated on the client.

However, for URLs that are not URL encrypted, we recommend enabling CSRF tokens as a complementary measure for CSRF protection.

CSRF Tokens

Enable CSRF tokens

Enables automatic CSRF token injection and validation on this mapping.

Invalid token redirect location

If a missing or invalid CSRF token is detected, the client is redirected to the configured location (e.g. to /index.html)

The token redirect location must be configured as a path exception if it is located behind the same URL mapping. Otherwise, a continuous redirect loop is initiated.

Invalid tokens may occur because of session timeouts or terminated sessions and do not necessarily imply active attacks.

Path Exception Pattern

All incoming URLs that match one of these patterns are accepted by Airlock Gateway without a valid CSRF token. The ignore case (ICase) option specifies whether the pattern is matched case-sensitively or not. Exception patterns are configured in a list of regular expressions.

The following example adds the URL /index.html as an exception. This allows users to bookmark the index page in their browsers and access it initially without a CSRF token.
All other URLs on that mapping require a valid CSRF token:


To allow requests without CSRF tokens to the root directory of the mapping use the following configuration example:


Token validity and propagation

The CSRF tokens are valid for the current session and are delivered in a cookie. Due to the Same-origin policy, these CSRF cookies can not be accessed by foreign scripts from other origins.

The attachment of CSRF tokens to requests is automatically handled by a piece of JavaScript code provided by Airlock Gateway. The CSRF JavaScript code is included by adding a script tag at the beginning of HTML pages:

<script src="..." type="text/javascript"></script>

Depending on the type of request, the Gateway script adds the CSRF token as a hidden parameter (i.e. for form posts) or as an additional HTTP header (for AJAX requests). Upon successful verification, CSRF tokens are removed from requests, i.e., the tokens are not propagated to back-end applications.