Cross-site request forgery and IBM Connections Micro Blog

I was helping a fellow developer with creating entries for a community’s IBM Connections Microblog.  He was using IBM Connections Cloud and IBM Connections 5.0 and higher.

In the IBM Connections, there is some advanced support for requests which come from third party domains to protect against Cross-site Request Forgery and Replay Attacks.

You can make a POST request to https://apps.na.collabserv.com/connections/opensocial/rest/ublog/urn:lsid:lconn.ibm.com:communities.community:{communityId}/@all and get an HTTP 403 response forbidden (even if a GET works with the same Bearer or Basic HTTP Authorization header. 

If you run into this issue, you should add the X-Update-Nonce header to your request.  You can get the Nonce value from the http://apps.na.collabserv.com/files/basic/api/nonce .

The request will now work and return a 201 Content Created.

Simple workaround, and handy to know for ActivityStreams and the Microblog.