Skip to main content

Accessing REST APIs via Reverse Proxy Authentication

When authentication is handled by a reverse proxy server as described in the section Reverse Proxy Authentication, API requests that change data, i.e. POST, PUT and DELETE requests, are subject to cross-site request forgery (CSRF) protection. For these requests to be accepted by IQ Server, they need to include the HTTP header X-CSRF-TOKEN along with an HTTP cookie named CLM-CSRF-TOKEN where both the header and the cookie carry the same value. The specific value chosen is irrelevant, it only needs to be the same for the header and the cookie.

Please refer to the documentation of your respective HTTP client on how to supply the header and cookie. For the cURL tool used in our earlier examples, this can be accomplished as follows:

curl --header "X-CSRF-TOKEN: api" --cookie "CLM-CSRF-TOKEN=api" ...