Cross-Site Request Forgery

Every storefront contains some protected requests that require a high level of security protection. Authenticated shoppers who change their accounts or submit personal data to a server to complete an action typically perform these requests. Users expect that they alone make these requests, and only when they specifically initiate the request.

Cross-site request forgery (CSRF) breaks that expectation by tricking the user’s browser into making this protected request without their knowledge, but with their authorization. Salesforce B2C Commerce has a CSRF protection software library so developers can protect requests against this attack.

The CSRF protection API uses a Synchronizer Token pattern that requires random challenge tokens that are associated with the user's current session. When the user submits content from the page, the server is configured to look for and validate that token. If the token fails to validate, the request is rejected.

For sensitive business functions, including a required security token in HTTP requests can help mitigate CSRF attacks. The reason is that to be successful, the attacker has to know the randomly generated token for a particular session.

The API is exposed via the dw.web.CSRFProtection, which contains the following methods.

Here is an example of a form within ISML that uses the CSRF framework to insert the token parameter name and its corresponding value.

<form action="/submit" method="post">
   <input name="${dw.web.CSRFProtection.getTokenName()}" value="${dw.web.CSRFProtection.generateToken()"> 

Then, call CSRFProtection.validateRequest() directly in the body of the function or use a middleware implementation to validate the CSRF token.

A best practice for CSRF in SiteGenesis JavaScript controllers is to include CSRFProtection.validateRequest() when handling a specific form action. It's action-specific because not all actions submit data and require CSRF protection.

Here's an example of using the method directly in a SiteGenesis JavaScript controller.

formResult = cartForm.handleAction({
         //Add a coupon if a coupon was entered correctly and is active.
         'addCoupon': function (formgroup) {
            var CSRFProtection = require('dw/web/CSRFProtection');
                if (!CSRFProtection.validateRequest()) { //validate the request
                    app.getModel('Customer').logout();  //log the customer out            
                    app.getView().render('csrf/csrf-failed'); //render an error template
                    return null;
          var status;
          var result = {
          cart: cart,
          EnableCheckout: true,
          dontRedirect: true

SFRA comes with a middleware version of CSRF that performs CSRF checks as a middleware step, with a number of supporting methods, including the following.

Here's an example of using the middleware.
     function (req, res, next) {
        var data = res.getViewData();
        if (data && data.csrfError) {
           return next();

CSRF in Business Manager

When creating cartridges for Business Manager, B2C Commerce automatically appends CSRF tokens to every request regardless of the HTTP method. As a result, validate only the CSRF token name and value using CSRFProtection.validateRequest() directly in the body of the function in Business Manager cartridge controllers.

All first-party Business Manager pages and requests are protected by default with CSRF tokens.

X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.