Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Thanh Nam Bach (ThanhNamB)
W&W Informatik

W&W Informatik
DE
ThanhNamB Member since 2015 7 posts
W&W Informatik
Posted: Oct 17, 2018
Last activity: Nov 20, 2018
Posted: 17 Oct 2018 5:41 EDT
Last activity: 20 Nov 2018 13:45 EST
Closed
Solved

How to correctly utilize CSRF Settings (security/csrf/validreferers)

Hi everyone,

we are currently trying to configure the pega recommended csrf Configurations. We are using PRPC 7.3.1, with either AIX/Websphere or Linux/Tomcat stack.

We followed the example in https://community.pega.com/knowledgebase/articles/configuring-csrf-protection.

Though i'd still like to understand the security/csrf/validreferers field.

In the article https://community.pega.com/knowledgebase/articles/dynamic-system-settings-application-security is written:

Show More

Hi everyone,

we are currently trying to configure the pega recommended csrf Configurations. We are using PRPC 7.3.1, with either AIX/Websphere or Linux/Tomcat stack.

We followed the example in https://community.pega.com/knowledgebase/articles/configuring-csrf-protection.

Though i'd still like to understand the security/csrf/validreferers field.

In the article https://community.pega.com/knowledgebase/articles/dynamic-system-settings-application-security is written:

"If CSRF token and activity/stream validations fail, the referrer header is validated against this list. The request fails if the referrer header is not on the list."

Meaning that if the token is valid, Pega won't check the referer header and the referer can be empty?

My second question is, how to fill out the DSS Setting. Lets say we have the following scenario with 1 Loadbalancer and 2 pegaservers and a thirdparty service provider, which pega calls.

Which hosts should be in the valid referers list?

Last but not least I really don't get the gist of the CSRF settings:

How does the CSRF Protection work? In which order does which validation check?

Thanks

Kind regards

Nam

@GCS

We had some issues, with modals due to the CSRF where we also found a hotfix HFIX-42996 to solve it. Please add this to the CSRF Documentation, something like known issues links.


Show Less
To see attachments, please log in.
Security

Accepted Solution

Posted: 6 years ago
Posted: 23 Oct 2018 14:43 EDT
Brad Tainter (Br@dTainter_GCS)
PEGA
Fellow, Technical Support, Platform Service
Pegasystems Inc.
US

Hi ThanhNamB,

Show More

Hi ThanhNamB,

I am responding to your questions:
Meaning that if the token is valid, Pega won't check the referer header and the referer can be empty?  The referrer is not checked unless the token check fails.
 
 
Which hosts should be in the valid referers list?  If you reference everything via the load balancer, then that is what you will need to add to the list.  You can run a network trace (Fiddler/F12 Developer tools/etc) to see what the referrer value is in the responses to confirm.  However, if you can bypass the load balancer and go directly to the servers, then you should add the servers as well.  If you are calling the service provider from Pega via a connect rule, you will expect a response from that and should not need to configure the service provider.  If the service provider is calling back into PRPC, then you would likely need to add the service provider as well.  Again, a network trace will confirm that for you.
 
How does the CSRF Protection work? In which order does which validation check?
Based on the article,  Each request is examined for a valid token and is rejected, if either no token or an invalid one is provided.  (otherwise with the correct token, the request goes through) Exceptions can be configured based on the values of the HTTP Referrer header contained in the request.  Thus it checks for a valid token first, and if that fails, it checks for a valid referrer.

Show Less
To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice