diff --git a/docs/deployment/breaking-changes.md b/docs/deployment/breaking-changes.md index 4cae4837..14124dba 100644 --- a/docs/deployment/breaking-changes.md +++ b/docs/deployment/breaking-changes.md @@ -14,6 +14,7 @@ implemented. | [OpenCTI / OpenAEV compatibility](#octi-oaev-compatibility) | - | 2.2.0 | | [OpenAEV encryption of secret](#openaev-encryption) | - | 2.1.0 | | [OpenAEV renaming](#openaev-renaming) | 1.18.20 | 2.0.0 | +| [OpenAEV CSRF](#openaev-csrf) | - | 2.3.4 | ## OpenAEV 2.2.0 @@ -72,4 +73,17 @@ automated. Take note that the first startup can be longer, all modifications have to be applied, and it can take a bit longer than usual. -For more details, see [this migration guide](breaking-changes/2.0.0-openaev-renaming.md) \ No newline at end of file +For more details, see [this migration guide](breaking-changes/2.0.0-openaev-renaming.md) + +## OpenAEV 2.3.4 + +### Introduction + + + +#### OpenAEV CSRF protection for frontend API calls + +Starting with **OpenAEV 2.3.4**, frontend-initiated API calls must include a valid CSRF token. +To prevent API authentication and connection issues, make sure all ecosystem components are upgraded to versions compatible with OpenAEV 2.3.4. + +For more details, see [this migration guide](breaking-changes/2.3.4-csrf-token-enforcement.md) \ No newline at end of file diff --git a/docs/deployment/breaking-changes/2.3.4-csrf-token-enforcement.md b/docs/deployment/breaking-changes/2.3.4-csrf-token-enforcement.md new file mode 100644 index 00000000..560abfb5 --- /dev/null +++ b/docs/deployment/breaking-changes/2.3.4-csrf-token-enforcement.md @@ -0,0 +1,46 @@ +# CSRF token enforcement for frontend API calls + +!!! info "" + + * **Introduced in**: `OpenAEV 2.3.4` + +## Description of changes + +Starting with **OpenAEV 2.3.4**, API calls initiated from the **OpenAEV frontend** must include a valid **CSRF token**. + +This security change protects authenticated sessions against cross-site request forgery and affects request flows between the UI and backend APIs. + +Components that interact with OpenAEV APIs through authenticated web sessions must support this CSRF mechanism. + +## Impact + +If some platform components are upgraded while others remain on older versions, API calls can fail during authentication or state-changing requests. + +Typical symptoms include: + +- `401 Unauthorized` responses +- `403 Forbidden` responses (missing or invalid CSRF token) +- Connector failures when creating, updating, or triggering operations through the OpenAEV API + +## Migration guide + +To avoid service disruption, upgrade all OpenAEV ecosystem components together to versions compatible with **OpenAEV 2.3.4**. + +This includes, at minimum: + +- Injectors +- Collectors +- Agents +- Connectors +- Any custom integration using authenticated frontend/API flows + +!!! warning + + Do not run mixed versions in production (for example: OpenAEV `2.3.4` with older injectors or collectors). Upgrade all components in the same maintenance window. + +## Validation checklist after upgrade + +1. Log in to the OpenAEV UI and trigger a standard action (for example, launch an inject or collect data). +2. Confirm the action succeeds without authentication errors. +3. Check platform and connector logs for `401`/`403` responses. +4. Verify that no component reports API connection failures.