Question
Sopra Steria
NL
Last activity: 5 Aug 2024 8:54 EDT
How to use the CSRF referrer setting Allowed referrers
Hi, I need some help with configuring the CSRF on our application. For our application we need to set the samesite cookie attribute on strict. This is due to security guidelines. As a consequence of this change I am not able to refer to our application from a wiki page. When I enter our application URL in the browser the (SAML) login screen is loaded. When I refer to our application from the wiki page I get redirected to another place due to my application configuration.
According to the documentation (https://docs-previous.pega.com/security/86/understanding-cross-site-request-forgery) I found this is because the wiki I come from is not configured as an allowed referrer.
However when I configure the wiki page as allowed referrer it still does not work(See screenshot). I am using the value taken from the HTTP request headers referer value.
Am I doing something wrong?
Hi, I need some help with configuring the CSRF on our application. For our application we need to set the samesite cookie attribute on strict. This is due to security guidelines. As a consequence of this change I am not able to refer to our application from a wiki page. When I enter our application URL in the browser the (SAML) login screen is loaded. When I refer to our application from the wiki page I get redirected to another place due to my application configuration.
According to the documentation (https://docs-previous.pega.com/security/86/understanding-cross-site-request-forgery) I found this is because the wiki I come from is not configured as an allowed referrer.
However when I configure the wiki page as allowed referrer it still does not work(See screenshot). I am using the value taken from the HTTP request headers referer value.
Am I doing something wrong?
Accepted Solution
Pegasystems Inc.
GB
@SebastiaanH s INC-B9240 has been closed with the following solution:
The feedback from the SME on this issue:
Taking into account the configuration that is done in your environment, you can use Same Site cookie option set to "Lax". Option "Strict" is not allowed in this use case.
Pegasystems Inc.
GB
@SebastiaanH your screenshot did not attach to your post - could you provide it again?
To configure the CSRF settings in Pega, you need to go to the Cross-Site Request Forgery settings in Dev Studio. Here, you can add the URL of your wiki page to the "Allowed referrers" field. Make sure to enter the exact URL as it appears in the HTTP request header's referer value. If you have enabled the "Allow domains only if matches exactly with Referrer" checkbox, only the exact match will be valid. After making these changes, click "Submit". If you changed the value of "Enable CSRF token check", you must restart your system for the new value to take effect. If the issue persists, it might be due to other factors not covered in the provided context.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Enabling and configuring Cross-Site Request Forgery settings
How to correctly utilize CSRF Settings (security/csrf/validreferers)
Enabling cross-site request forgery support
@SebastiaanH your screenshot did not attach to your post - could you provide it again?
To configure the CSRF settings in Pega, you need to go to the Cross-Site Request Forgery settings in Dev Studio. Here, you can add the URL of your wiki page to the "Allowed referrers" field. Make sure to enter the exact URL as it appears in the HTTP request header's referer value. If you have enabled the "Allow domains only if matches exactly with Referrer" checkbox, only the exact match will be valid. After making these changes, click "Submit". If you changed the value of "Enable CSRF token check", you must restart your system for the new value to take effect. If the issue persists, it might be due to other factors not covered in the provided context.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Enabling and configuring Cross-Site Request Forgery settings
How to correctly utilize CSRF Settings (security/csrf/validreferers)
Enabling cross-site request forgery support
Cookie usage in Pega software > Pega Platform – Security
Understanding cross-site request forgery > Cross-site request forgery settings
Sopra Steria
NL
@MarijeSchillern Thank you for your reply
Another try for the screenshot. I added it as PDF. I tryed the options you wrote down. None of the work. I also looked at the suggested links before. I am doing what is written there.
I also created an SR to get some more detailed answers on why this is not working for me.
Updated: 19 Mar 2024 6:10 EDT
Pegasystems Inc.
GB
@SebastiaanH thanks for the update. Can you please provide the SR/ INC ticket id here?
Can you confirm the ticket is INC-B9240 (Not able to get CSRF allowed referrers to work)?
Sopra Steria
NL
@MarijeSchillern Correct that is the SR
Accepted Solution
Pegasystems Inc.
GB
@SebastiaanH s INC-B9240 has been closed with the following solution:
The feedback from the SME on this issue:
Taking into account the configuration that is done in your environment, you can use Same Site cookie option set to "Lax". Option "Strict" is not allowed in this use case.