Community articleNonce GET9.0.1
Added by api wiki on September 23, 2013
Rate this article 1 starsRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars

Gets a token to be used in subsequent requests for CSRF protection.

To enable CSRF protection, a web application sends a GET request to the nonce resource.  The core service returns a Set-Cookie header that causes the browser to store the nonce in the DasToken cookie.

Subsequent requests to any DAS service will fail unless the DasToken cookie exactly matches the X-DAS-Token header.  This prevents scripts from other sites from forging requests on the authenticated user's behalf.  Therefore, your web application should get the DasToken cookie value and set it to X-DAS-Token header for all subsequent requests.

NOTE:  The nonce resource is most useful for web applications running in a browser.  For example, there is no need to use the nonce resource from a native mobile application.

Method URI Description
GET /api/core/nonce Gets a token to be used in subsequent requests for CSRF protection.
Name Type Optional Description
string No Sets the DasToken cookie in browser memory
Code Description
OK. Indicates that the request was processed successfully.
This example shows a response to a nonce GET request.
GET /api/core/nonce

Response returned by the server
Set-Cookie: DasToken=4c697499-1b1c-43cb-aa6c-81b14178673f;Path=/