Print      Open PDF Version of Online Help

Previous Topic

Next Topic

About Cross-Site Request Forgery Protection

To prevent cross-site request forgery attacks, users who create custom code that contains HTTP POST requests (including Asynchronous Java Script and XML (AJAX) requests) that try to update, create, or delete data in Oracle CRM On Demand must include a security token, as a hidden parameter in their code. If the custom code does not contain the security token, or if the security token is used incorrectly, the request will fail. When the request fails, the user will see an error message indicating that the request cannot be completed, because the key is invalid or has expired, and the user must refresh the page.

The security token that users must include in their code is shown in the following table.

Parameter Component

Token Code





NOTE: The token code is case sensitive, and must be exactly as shown in the table. Any error in the token code causes the request to fail.

This protection feature for cross-site request forgery is controlled by the Cross-Site Request Forgery Protection Enabled check box on the company profile. The feature is enabled by default when your company is set up to use Oracle CRM On Demand, and you cannot disable it.

Published 5/4/2012 Copyright © 2005, 2012, Oracle. All rights reserved. Legal Notices.