Frequently asked question

Is FacesServlet vulnerable to CSRF attacks?

Last Published: April 25, 2020


Yes, FacesServlet is vulnerable to Cross Site Reference Forgery (CSRF) attacks.

ArcGIS Server Java Edition's WebADF makes explicit use of the javax.faces.webapp.FacesServlet. CSRF is a known security issue with the FacesServlet in the JSF development world. Below are two external URLs to sites that explain CSRF and possible workarounds:


Article ID:000010599

  • ArcGIS Server

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Related Information

Discover more on this topic