Client-side AJAX API

Topics in this section describe APIs that can be used to modify the browser-side experience. Access control permissions apply to client-side AJAX APIs.

The current user requires access permission to execute many AJAX APIs. See each API to see which permissions are required. If the current user does not have appropriate permissions to access the API, the API call fails.

For more information about security and access permissions, see Security and access control.

CSRF Protection for Client-Side AJAX APIs

To ensure client-side AJAX APIs are safeguarded under CSRF protection, the platform may need to enforce restrictions to prevent misuse or unauthorized calls without significant disruption.

Key Changes

Direct API Calls Restricted:

Previously, developers could bypass the platform’s documented client method rbf_createRecord() by calling AJAX APIs directly from the network tab. For example:
```
http://localhost:8830/prod1/servlet/Ajax?cmd=apiCreate&useIds=true&objName=user&loginName=bh@cp.com&email=bh@cp.com&firstName=billy&lastName=xss&role=90
```
This approach is no longer supported. Code updates aren’t required if using documented API methods.
HTTP Verb Checks:

Previously, create/update calls could be sent as HTTP GET. This will no longer be allowed. CSRF protection now requires separating GET, POST, and DELETE requests, which will be handled correctly when using documented API methods.
URL Pattern Changes:

Servlet URLs for Client Side AJAX should not be invoked directly and can be changed anytime by the Platform. Developers should use documented API methods to ensure the Platform handles routing.

Note: These updates distinguish client-side AJAX from internal platform AJAX, enabling CSRF protection only for client-facing APIs. Direct URL access for client AJAX is discouraged to maintain CSRF and HTTP Verb management.