Using CSRF tokens to safeguard Matillion ETL instances
From version 1.47.7 of Matillion ETL and onwards, Matillion ETL instances are secured by cross-site request forgery (CSRF) tokens that refresh automatically. This update mitigates the danger of both cross-site request forgery, and websocket hijacking, upon a Matillion ETL instance.
The Matillion ETL client makes a GET call, which requires authentication and upon successful authentication, returns a particular websocket header containing an encoded URL with the relevant token stored in the HTTP session.
The filter is automatically enabled—no action is required by the user for this security filter to work. User action is required for users who wish to manually override the CSRF filtering (disable the feature).
To manually enable or disable the CSRF filtering, users can either:
- Edit /etc/sysconfig/tomcat with the below variable to enable or disable the feature. Users must ensure they include the MTLN_ prefix in the variable.
- Manually enable: MTLN_CSRF_FILTER_DISABLED=false
- Manually disable: MTLN_CSRF_FILTER_DISABLED=true
- Edit /usr/share/emerald/WEB-INF/classes/Emerald.properties with the below variable to enable or disable the feature. The MTLN_ prefix is not required.
- Manually enable: CSRF_FILTER_DISABLED=false
- Manually disable: CSRF_FILTER_DISABLED=true
- Users should update their Matillion ETL instance to version 1.47.7 or later to ensure that this filter is active within their instance.
- The CSRF token expires after five minutes and a new token is automatically generated in the background. No action is required by the user with regards to CSRF tokens.
If you experience any trouble with your Matillion ETL instance, please contact support.