Security

Protection against CSRF attacks

Form can be protected against Cross-Site Request Forgery (CSRF) attacks using an authorization token that is generated on the server, rendered in a hidden form field and then validated during form submission (when the bind method is called). All you must to do for such a protection is:

• Call basicSecured or automaticSecured methods instead of basic or automatic methods to define form mappings.
• Hidden field with name <root form mapping name>-formAuthToken is automatically added to the form fields. You must render this form field (as a hidden field) in the template.
• You must pass RequestContext argument to the fill method and to the bind method:

FormMapping<Registration> filledForm = 
  registrationForm.fill(formData, LOCALE, new ServletRequestContext(request));

RequestContext serves as an entry point to request-specific data that is used by the library and in this case Formio can use it to store the secret for the generated token into the user session. Token is unique for each user and for each rendering (filling) of the root form mapping. Secret for the token is cleared from the user session after the form (root mapping) is processed.