Why add header X-CSRF-ZOSMF-HEADER for using zOSMF services

[markklerks]

In Zowe API ML, when I use the zOSMF REST service GET "https://xxxxx.xx.COM:7554/ibmzosmf/api/v1/zosmf/restjobs/jobs", I need to add a header X-CSRF-ZOSMF-HEADER with value "any" to prevent getting an error: { "errorID": "IZUG846W", "errorMsg": "IZUG846W: An HTTP request for a z/OSMF REST service was received from a remote site. The request was rejected, however, because the remote site \"\" is not permitted to z/OSMF server \"IZUSVR\" on target system \"MAINFRAME.EU.PACCAR.COM:443\" ." }

Why is this, won't I go around security mechanisms doing this?

[balhar-jakub]

@markklerks In general this header is a specific header related to the CSRF that's being used by zOSMF to limit access in CSRF (cross-site-request-forgery) use cases.

So, if you aren't using it from a browser but from some other type of client then most probably this header is irrelevant for you, and adding it doesn't introduce any security risk at all.

If you are using it from the browser, then let us know and we can together go through the use case in more detail to see whether there is any risk introduced

[markklerks]

Thank you for reaching out here. The use case where we would be using it from a browser is not a very important one, it would just be to have an easy possibility for a quick test of the correctness of the API-call.

The use cases we are looking for, is using it in a Dashboard or Report like in PowerBI or Tableau like applications, or use it in a deployment script situation like use within a Powershell script

[balhar-jakub]

For the use cases that you have in mind, you are safe and there is no risk there.