Configuring Cross-Site Request Forgery Protection
Cross-site request forgery (CSRF) protection is enabled by default in Windchill. You can configure the CSRF nonce expiration and potential attack email notifications by adding the corresponding properties in wt.properties using the xconfmanager utility.
For more information, see Using the xconfmanager Utility.
Nonce Expiration
By default, the CSRF nonce is set to expire 24 hours after it has been created. The nonce timeout is not tied to the session timeout as Windchill has long running processes that may overrun the session timeout. This timeout value, set in minutes, is configurable and can be changed by adding the property: com.ptc.core.appsec.CSRFNonceTimeout.
For example, com.ptc.core.appsec.CSRFNonceTimeout=1440
Notification Emails
Email notification can be set up to alert administrators to potential CSRF attacks. By modifying the following properties, you can configure the number of potential attacks recorded before a notification is sent, how often the notifications are sent, and who receives the notification.
Property
Description
com.ptc.core.appsec.securityAlertEmailAccount
The recipient of the potential attack notification email. By default, the email is sent to the administrator identified by the wt.admin.defaultAdministratorName property. Another user or group can be assigned by setting the value of this property to either another user identifier or group name.
com.ptc.core.appsec.EventThreshold
Total number of potential attacks that are logged before an email notification is sent. The default value is set to 5. Once the specified number of attacks is recorded, an email notification is sent to the recipient identified in the com.ptc.core.appsec.securityAlertEmailAccount property.
com.ptc.core.appsec.notificationFrequency
How often email notifications are sent when potential attacks are detected. This value is set in minutes. The default configuration sends 1 email in 1440 minutes (24 hours).
Once a notification is sent, the attack counter is reset to zero. The next notification will not be sent until the event threshold specified in com.ptc.core.appsec.EventThreshold is reached and the number of minutes specified in com.ptc.core.appsec.notificationFrequency has elapsed.
Was this helpful?