Skip to Main Content
Merative Ideas Portal

Shape the future of Merative!

We invite you to shape the future of Merative, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

Start by posting ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the Merative team to refine your idea

Help Merative prioritize your ideas and requests

The Merative team may need your help to refine the ideas so they may ask for more information or feedback. The offering manager team will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at Merative works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notification on the decision

Some ideas can be implemented at Merative, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.


Merative External Privacy Statement: https://www.merative.com/privacy

Status Delivered
Categories Universal Access
Created by Guest
Created on Feb 14, 2019

Provide Token based CSRF protection to Citizen Engagement

There are two ways to protect against CSRF attacks:

1. Using the Referer Header
2. Using a one time nonce or sync token

OWASP consider 2 the most secure mitigation.

Traditional Curam user interfaces like IEG had 2 implemented.

The IBM CW / Designs System / mobile responsive IEG do not. This should be added to the product.

Customer Name City of New York - Department of Information Technology (DoITT)
  • Attach files
  • Guest
    Reply
    |
    Nov 6, 2020

    Hi Fintan,
    We are pleased to inform you that your enhancement request has been delivered in the new release of IBM Social Program Management, version 7.0.11.0.

    Cross-Site Request Forgery (CSRF) token based protection is now available for Universal Access deployments.

    Thank you for taking the time to share your ideas with us. We are now closing this request as delivered.

    Regards,
    Shane McFadden, SPM Offering Management team
    You can find more information on the request process here.

  • Guest
    Reply
    |
    Mar 20, 2020

    Hi Fintan,

    We are happy to inform you that your enhancement request has been delivered in the new release of IBM Cúram Social Program Management, version 7.0.10.0.

    The SPM REST infrastructure has been enhanced to support additional token-based protection for all REST operations.
    More information can be found in 'WorkItem:257082 - Enhanced Cross-Site Request Forgery (CSRF) token based protection' in the 7.0.10 Release notes: https://www.ibm.com/support/pages/node/5694717

    We hope that this addition to the product will meet your requirements sufficiently.

    I will now close this ticket as delivered.

    Thank you for your interest in the Cúram product.
    Shane McFadden, Cúram SPM Product Management team

  • Guest
    Reply
    |
    Feb 18, 2019

    Hi Fintan,

    We acknowledge that this enhancement request has been accepted for consideration. It may not be delivered within the release currently under development however the theme is aligned with our current multi-year strategy and will be considered for a future release.

    IBM may consider and evaluate any RFE Community feedback for this request through activities such as voting.

    IBM will update this request in the future.

    Thank you for your interest in the Cúram product.
    Shane McFadden, Cúram SPM Product Management team

  • Guest
    Reply
    |
    Feb 15, 2019

    Hi Fintan,

    Thank you for your enhancement request.
    We require some further analysis to determine whether or not this enhancement can be considered in a future release.
    I will provide another response when our investigation is complete.

    Thank you,
    Shane McFadden, Cúram SPM Product Management team