Referrer validation

Edit online

To help mitigate CSRF attacks, you can configure WebSEAL to validate the referer header in incoming HTTP requests. WebSEAL compares this referer header with a list of configured allowed-referers to determine whether the request is valid.

Referrer validation affects the following WebSEAL management pages:

/pkmslogout
/pkmslogout-nomas
/pkmspasswd.form
/pkmsskip
/pkmsdisplace

Use the allowed-referers configuration entry in the [acnt-mgt] stanza to define valid referer headers. The value for this entry can contain alphanumeric characters, spaces, periods, and wildcard characters.

Note: You can specify this entry multiple times to define multiple valid referer headers. WebSEAL uses all of these entries to validate the referrer.

You can set the allowed-referers to %HOST%, which is a special filter. This filter indicates to WebSEAL that a referrer is valid if the host name portion of the referer HTTP Request header matches the host HTTP Request header.

If you want WebSEAL to use referrer validation, you must include at least one allowed-referers entry. For example:

[acnt-mgt]
allowed-referers = %HOST%

When attempting to validate an incoming request, if WebSEAL does not find an allowed-referers entry that matches the referer header in the request then the request fails. WebSEAL returns an error page.

Note: If there are no allowed-referers entries, referrer validation is disabled and WebSEAL does not validate the referer headers in incoming requests.