During security scans, our software is able to interject cookies as the login user in an attempt to perform CSRF [Pega 7.2.1]
We are using 7.2.1 and during security scans, our software is able to interject cookies as the login user in an attempt to perform CSRF. We have set the DSS security/csrf/secureall to true but this doesn't see to stop the cookies from being created on our client with the logged in user's token. The concern is the URL interjected could be somehow executed by the client on the server and validated. Perhaps, it is my lack of knowledge on this topic but any advise is appreciated.
I did file an SR and the DSS instance was the outcome. However, our security scan software still is able to set the cookie on the client with the login user's valid token in an URL.
***Updated by moderator: Lochan to create new post from this reply***
Original post: cross site request forgery(CSRF)
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.