Community articleNonce GET9.0.1
Added by api wiki on September 23, 2013
Rate this article 1 starsRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars

Gets a token to be used in subsequent requests for CSRF protection.

To enable CSRF protection, a web application sends a GET request to the nonce resource.  The core service returns a Set-Cookie header that causes the browser to store the nonce in the DasToken cookie.

Subsequent requests to any DAS service will fail unless the DasToken cookie exactly matches the X-DAS-Token header.  This prevents scripts from other sites from forging requests on the authenticated user's behalf.  Therefore, your web application should get the DasToken cookie value and set it to X-DAS-Token header for all subsequent requests.

NOTE:  The nonce resource is most useful for web applications running in a browser.  For example, there is no need to use the nonce resource from a native mobile application.

Method URI Description
GET /api/core/nonce Gets a token to be used in subsequent requests for CSRF protection.
Output
Name Type Optional Description
Set-Cookie
string No Sets the DasToken cookie in browser memory
Code Description
200
OK. Indicates that the request was processed successfully.
Examples
This example shows a response to a nonce GET request.
GET /api/core/nonce

Response returned by the server
Set-Cookie: DasToken=4c697499-1b1c-43cb-aa6c-81b14178673f;Path=/