Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) is a type of exploit that allows attackers to perform unauthorized actions on behalf of a user that the web application trusts. For example, if you are logged into Sisense, and open another web page or email provided by the attacker, this can allow the attacker to exploit your authenticated session in Sisense and perform unwanted actions.

Note:
  • CSRF security hardening protection is enabled by default as of version L2021.5.0 (and later).
  • When CSRF is enabled in Sisense, add the parent domain to the Security Settings (Admin tab > search for and select Security Settings which is located under Security & Access) to use SisenseJS and/or Sisense Mobile.

If Cross-Site Request Forgery (CSRF) is turned on, a request from your add-on to the Sisense API could return a 401 error. To continue working with the Sisense API with the new restrictions, Sisense implemented a new service called 'httpCommunicateService'. If the domain is allowed, requests should have the corresponding “origin” or “referer” header so that Sisense can validate the request origin as an allowed origin. Every add-on that makes HTTP requests to the Sisense API should use the 'httpCommunicateService' service when CSRF Protection is enabled. This service enables you to make requests to the server with updated headers. Below are several examples of how you can use the service in your add-ons.

Alternatively, you may use a bearer token for authentication, which does not receive authentication via CSRF protection.

Add to your add-on one of the files httpCommunicate service (three versions are attached: as angular service ES5, as angular service ES6, and pure js ES6 way).

For Angular

  1. Download the relevant file and include it with your add-on:
  2. Import the file with the following command:

    ES5

    import { httpCommunicate } from './httpCommunicate.6';          

    ES6

    import { httpCommunicate } from './httpCommunicate.5';          

    In your add-on, you can create an object, for example:

    const config = { url: '/api/groups', method: 'GET', data: {} };          

    and then use the object in functions:

    httpCommunicate(config);          

    or as an Angular service:

    $httpCommunicateService.httpCommunicate(config);          

For JavaScript

  1. Download the relevant file and include it with your add-on:
  2. Import the file with the following command:
  3. import { httpCommunicate } from './httpCommunicate.5';       

    In your add-on, you can create an object, for example:

    const config = {type:"GET", url: '/api/groups', data: {},success: (data) => {}, error: (err) => {} };       

    and then use the object in functions:

    $httpCommunicateService.httpCommunicate(config, true);       

    or as an Angular service:

    httpCommunicate(config, true);      

Affected API Endpoints

Every GET endpoint is allowed, and all other endpoints are not allowed to pass without a token, other than the following exceptions:

  • Restricted GET endpoint: “/api/auth/logout"

  • Allowed POST requests: '/app/data', '/app/dev', '/app/jaqleditor', '/app/main', '/app/oauth', '/app/paths', '/app/reporting', '/app/scripteditor', '/app/settings', '/app/sqleditor', '/app/test'