This documentation supports the 20.08 version of BMC Helix Platform. 
To view an earlier version, select 20.02 from the Product version menu.

Protection against CSRF attack vulnerability

BMC Helix Platform includes a protective measure against cross-Site request forgery (CSRF) attacks. To address the CSRF security risk, BMC Helix Platform uses custom request header for every REST API request in the BMC Helix Platform Software Development Kit (SDK).

What happens in a CSRF attack?

In a CSRF attack, users are forced to execute unwanted actions on a web application in which they are currently authenticated. 

If the victim holds a regular user account, a CSRF attack can force the user to perform state-changing requests, such as transfer funds, and change the email address. If the victim holds an administrative account, the attack can compromise the entire web application. For more information, see Cross-Site Request Forgery (CSRF) at the  OWASP Open link  website.

To protect against this vulnerability, BMC Helix Platform has an HTTP header for every cross-origin request. 

How does BMC Helix Platform handle a CSRF attack?

BMC Helix Platform has used a custom request header for every REST API call in the BMC Helix Platform Software Development Kit (SDK). This defense relies on the Same-Origin Policy (SOP) restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, web browsers don't allow JavaScript to make cross-origin requests.

The following custom header is added to BMC Helix Platform SDK:

X-Requested-By: XMLHttpRequest

If you are initiating your own HTTP requests, you can add the X-Requested-By header by specifying the following values:

``` myAppModule.config(['$httpProvider', function($httpProvider) { $httpProvider.defaults.headers.common["X-Requested-By"] = 'XMLHttpRequest'; }]); ```

For more information, see Setting up your IDE and installing BMC Helix Platform SDK.

If the header is not found, a Response.Status.BAD_REQUEST response is returned to the client.

If you use a generic HTTP request client in your development and testing, ensure that the custom request header is included with every request; otherwise, you will get a BAD_REQUEST response.

Was this page helpful? Yes No Submitting... Thank you


  1. David Fiel

    The header here should be X-Requested-By instead of X-Requested-With. This can be seen in the bottom screenshot.

    Sep 13, 2023 03:54
    1. Prachi Kalyani

      Thank you, David.

      I have updated the topic.

      Sep 13, 2023 11:11