Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user of an application to execute unwanted actions on that web application. An attacker might use any number of different tactics to trick this user into sending that request, like social engineering. Once the user clicks that link (or automatically sends that compromising request) the user might compromise their account or as an admin the whole web application depending on the type of permissions they have.

To read more about CSRF follow the link to the OWASP.

As a proxy, the Avi product can deploy countermeasures to protect the users and applications from accepting these counterfeit requests.

CSRF Protection in Avi Load Balancer

For Avi to do CSRF protection, there are a sequence of steps that are followed:

Following are the steps that occur when CSRF protection is performed through Avi Load Balancer.

  1. When a client request (POST request) comes to Avi virtual service, Avi first creates a session, and then, if the CSRF policy is enabled, it creates a CSRF token as well.

  2. On the subsequent POST request coming to Avi VS with the same session ID (as set in step 1), Avi will check for a CSRF token.

  3. Note: For AJAX requests, Avi checks the origin header to confirm whether this is our site or a different site.

  4. If the CSRF token is valid, Avi will pass the request to the backend server. If not, Avi will send a deny response with an HTTP error code 403.

If the session ID is invalid or absent, we create a new session for that request, and the request flow starts again from step 1.