Question

1
Replies
1035
Views
ThanhNamB Member since 2015 7 posts
W&W Informatik
Posted: 1 year ago
Last activity: 1 year 10 months ago
Closed
Solved

How to correctly utilize CSRF Settings (security/csrf/validreferers)

Hi everyone,

we are currently trying to configure the pega recommended csrf Configurations. We are using PRPC 7.3.1, with either AIX/Websphere or Linux/Tomcat stack.

We followed the example in https://community.pega.com/knowledgebase/articles/configuring-csrf-protection.

Though i'd still like to understand the security/csrf/validreferers field.

In the article https://community.pega.com/knowledgebase/articles/dynamic-system-settings-application-security is written:

"If CSRF token and activity/stream validations fail, the referrer header is validated against this list. The request fails if the referrer header is not on the list."

Meaning that if the token is valid, Pega won't check the referer header and the referer can be empty?

My second question is, how to fill out the DSS Setting. Lets say we have the following scenario with 1 Loadbalancer and 2 pegaservers and a thirdparty service provider, which pega calls.

Which hosts should be in the valid referers list?

Last but not least I really don't get the gist of the CSRF settings:

How does the CSRF Protection work? In which order does which validation check?

Thanks

Kind regards

Nam

@GCS

We had some issues, with modals due to the CSRF where we also found a hotfix HFIX-42996 to solve it. Please add this to the CSRF Documentation, something like known issues links.

Security
Moderation Team has archived post
Share this page LinkedIn