Adobe Commerce is a robust ecommerce platform that ensures security by implementing several validation mechanisms. Among these is Cross-Site Request Forgery (CSRF) protection, which prevents unauthorized actions performed on behalf of an authenticated user.
Magento often relies on the X-Requested-With header to validate AJAX requests. However, it could bypass these validations under controlled scenarios during custom module development or integrations with third-party services.
This blog explains how to safely skip CSRF validation and handle the X-Requested-With header in Magento without compromising security.
ON THIS PAGE
What are CSRF and X-Requested-With?
CSRF (Cross-Site Request Forgery) is an attack where a faulty website tricks a browser into performing actions on a trusted site where the user is logged in. Adobe Commerce CSRF protection validates incoming requests using tokens to prevent such exploits.
X-Requested-With is an HTTP header commonly used to identify AJAX requests. Magento uses this header to distinguish server-originated requests from direct access attempts.
Why Skip CSRF and X-Requested-With Validation?
There are specific scenarios where skipping these validations is necessary:
- Integrating with third-party APIs or services that don’t send CSRF tokens.
- Allowing public or non-AJAX access to specific controllers for external operations.
- Custom module development where certain endpoints don’t require strict validation (e.g., webhook callbacks).
Skipping CSRF Validation
Create a custom webapi_rest or webapi_soap configuration to disable CSRF validation for a specific controller action in Magento 2. However, Extend Magento’s CsrfAwareActionInterface for custom modules using regular controllers.
Here’s how you can do it:
1. Update Your Controller File
Add the CsrfAwareActionInterface to your custom controller and implement its methods:
<?php
namespace Klizer\Csrf\Controller\Custom;
use Magento\Framework\App\CsrfAwareActionInterface;
use Magento\Framework\App\RequestInterface;
use Magento\Framework\App\Request\InvalidRequestException;
class Example extends \Magento\Framework\App\Action\Action implements CsrfAwareActionInterface
{
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
{
return null; // Skip CSRF validation
}
public function validateForCsrf(RequestInterface $request): ?bool
{
return true; // Bypass CSRF
}
public function execute()
{
// Your controller logic here
}
}Skipping X-Requested-With Header Validation
The X-Requested-With header is often validated for AJAX-specific requests. To skip this validation, you can override the validateRequest method in your custom controller.
Here’s how:
<?php
namespace Klizer\Csrf\Controller\Custom;
use Magento\Framework\App\RequestInterface;
use Magento\Framework\App\Action\Action;
class Example extends Action
{
public function execute()
{
// Disable X-Requested-With validation logic
$request = $this->getRequest();
if (!$request->isAjax()) {
// Your custom logic for non-AJAX requests
}
// Continue with controller logic
}
}This ensures that your endpoint works smoothly even without the X-Requested-With header.
Security Implications
While skipping these validations may be required in some scenarios, it’s essential to follow security best practices:
- Restrict Access
- Limit skipped validations to specific endpoints.
- Use IP whitelisting or authentication tokens.
- Sanitize Input
- Validate all incoming data rigorously to avoid injection attacks.
- Log Requests
- Track requests to endpoints with skipped validations to monitor potential misuse.
Conclusion
Adobe Commerce CSRF and X-Requested-With header validations are vital for securing ecommerce operations. However, certain customizations require bypassing these validations carefully. By understanding the implications and following best practices, you can ensure a smooth integration while maintaining the platform’s security standards.
Reach out to Klizer – your expert in Adobe Commerce development for expert guidance on secure and multiple customizations.
