Support for cross-site request forgery (CSRF) prevention was added in PTC FlexPLM 11.0 M030 for the majority of data-altering actions.

The solution implemented by PTC FlexPLM is to generate a unique token for each user when their session is established. This unique token is called a nonce and is cached in the user session. Each time a data altering URL is generated by the server for this session, the server includes the nonce in a hidden form field named CSRF_NONCE. When the user submits the form for the action, this hidden field is sent back to the server which can then compare the nonce in the request with the nonce in the session. If the nonce is missing or does not match, then the request is rejected with the following error: A potential security problem was detected. Refresh the page and try again. If the problem persists, contact your administrator. The events detected as potential CSRF attacks are also recorded in the audit logs.

Cross-site request forgery (CSRF) attacks can be prevented by ensuring that any request to perform an action that either creates, updates, or deletes data in the application can only have come from a valid user clicking a valid link generated from within the application, and not from a URL crafted by a third party and submitted unwittingly by the user.

The various CSRF prevention techniques include:

To protect an action from CSRF attacks, do the following: