The MQ REST API has been continually enhanced through the CD releases with support for extra object types. In 9.0.5 you can see that we continued this trend by adding the first set of APIS for MFT. I want to use this post to highlight an important change in behavior in the REST API regarding CSRF (Cross Site Request Forgery) protection.
CSRF is a type of attack which occurs when a malicious website causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. A good explanation of CSRF is available here.
Since MQ 9.0.2 the MQ REST API has provided protection against CSRF attacks using CSRF synchronizer tokens. These tokens were generated by the REST API and returned to callers of the REST API in a csrfToken cookie. Any user of the REST API that wanted to perform a state changing request, i.e. use the HTTP POST, PATCH or DELETE verbs needed to take the contents of the csrfToken cookie, put it into an HTTP header called ibm-mq-rest-csrf-token and send it with their request. If the header wasn’t set, or its value wasn’t correct, the request would fail.
While this approach provided protection against CSRF attacks it was cumbersome, and overly restrictive in certain cases where it actually prevented any use of the MQ REST API. In MQ 9.0.5 we have changed how CSRF protection works, and made it simpler. From 9.0.5 onwards there is no longer a csrfToken cookie. CSRF protection is still provided by setting the ibm-mq-rest-csrf-token header, but its value can be anything including blank. An example of this is in the following curl request:
curl -k -i -X POST https://localhost:9443/ibmmq/rest/v1/messaging/qmgr/qm905/queue/Q1/message -d "Hello world" -H "Content-Type: text/*" -u -H "ibm-mq-rest-csrf-token: dummy value"
More information on these changes is in the MQ KnowledgeCentre.
In the next couple of weeks or so I will update the sample web page that uses the MQ REST API to account for the changes in 9.0.5.
If anyone has questions on this please add a comment. Or reach out to me at email@example.com.