Skip to content

CSRF token enforcement for frontend API calls

  • Introduced in: OpenAEV 2.3.4

Description of changes

Starting with OpenAEV 2.3.4, API calls initiated from the OpenAEV frontend must include a valid CSRF token.

This security change protects authenticated sessions against cross-site request forgery and affects request flows between the UI and backend APIs.

Components that interact with OpenAEV APIs through authenticated web sessions must support this CSRF mechanism.

Impact

If some platform components are upgraded while others remain on older versions, API calls can fail during authentication or state-changing requests.

Typical symptoms include:

  • 401 Unauthorized responses
  • 403 Forbidden responses (missing or invalid CSRF token)
  • Connector failures when creating, updating, or triggering operations through the OpenAEV API

Migration guide

To avoid service disruption, upgrade all OpenAEV ecosystem components together to versions compatible with OpenAEV 2.3.4.

This includes, at minimum:

  • Injectors
  • Collectors
  • Agents
  • Connectors
  • Any custom integration using authenticated frontend/API flows

Warning

Do not run mixed versions in production (for example: OpenAEV 2.3.4 with older injectors or collectors). Upgrade all components in the same maintenance window.

Validation checklist after upgrade

  1. Log in to the OpenAEV UI and trigger a standard action (for example, launch an inject or collect data).
  2. Confirm the action succeeds without authentication errors.
  3. Check platform and connector logs for 401/403 responses.
  4. Verify that no component reports API connection failures.