start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Select Page


Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious website, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is authenticated. For example, this attack could transfer funds, change a password, or purchase an item in the user’s context.

CSRF tokens and same origin policy are two different ways to prevent CSRF attacks in ZIETrans. Users can select any of these or both, depending on the requirement.

A CSRF token is a unique, unpredictable secret value generated by a server-side application and sent to the client for inclusion in subsequent HTTP requests issued by the client. Once the token is issued, the server checks if the request from the client contains the expected token. If the token is missing or invalid, the request gets rejected.

The same origin policy will discard the request originating from a URL with no protocol originating from an unauthorized origin/website.

Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in the victim’s web browser by including malicious code in a legitimate web page or web application. Users can avoid this attack in ZIETrans by setting a few XSS security parameters in the ZIETrans project.

In this blog, we will understand how we can protect against CSRF and XSS in ZIETrans.

Steps to enable CSRF protection in ZIETrans

  1. Open the ZIETrans toolkit.
  2. Go to Project settings > other tab > Client settings.
  3. Select “Enable same origin policy protection” or “Enable token based protection” based on the requirement.

zietrans settings

Figure 1: Enable same origin policy and token based protection

4. Save the changes.

5. Go to the Navigator Tab > Web Content folder > Web-INF folder. Open web.xml file.

Search for description “HatsCSRFValidationFilter”. The “target.origin” and “source.origin” parameter should be updated to your ZIETrans URL as shown below. By default, it will be blank.



This filter will invoke to validate csrf attack </description>















We can provide multiple URLs in the param-value as below by just separating the URL by comma:


Steps to enable XSS protection in ZIETrans

Open the web.xml file of ZIETrans and update the below parameters from NO to YES. By default, these parameters will be set to NO.













Comment wrap
Mainframes | July 22, 2022
Resizable Default Transformation in ZIETrans
Learn how using HCL ZIETrans, you can create a web-based application with an easy-to-use graphical user interface. Learn more about HCL ZIETrans Now!
Mainframes | July 8, 2022
Accessing ZIETrans administrative console on Liberty server
The ZIETrans administrative console allows you to view and change problem-determination settings. It also allows: Select the scope of management, View log and trace files, etc.
Mainframes | December 7, 2021
Using ZIETrans EJB
EJB is server-side software that helps summarize a particular application's business logic. With EJB, we can develop secure and scalable distributed applications.