allowed-referers
Use the allowed-referers stanza entry to specify which referrers can request management pages.
Syntax
allowed-referers = referer_filterDescription
For protection against cross-site request forgery (CSRF) attacks, you can configure WebSEAL to validate the HTTP Request referer header for all account management pages. WebSEAL uses the value that is provided for this configuration entry to determine whether the referrer host name in an incoming request is "valid".
- Checks whether the referer header is present in the HTTP Request header.
- Validates the host name portion of that referrer against the allowed-referers entries.
*- match 0 or more characters.?- match any single character.\- Literal match of the following character.
You can use the value %HOST% for
this
entry. This value is a special filter, which indicates to WebSEAL
that a referrer is "valid" if the host name portion of the referer header
matches the host header.
If there are no allowed-referers entries then WebSEAL does not complete this validation.
For more information about referrer validation, search for "CSRF" in the IBM Verify Identity Access: Web Reverse Proxy Configuration Guide.
Options
- referer_filter
- Specifies a filter for a referrer host name that WebSEAL can accept as "valid".
Usage
This stanza entry is optional.
Default value
None.
Example
The following entry matches any referrer host name that begins with the charactersac, followed
by zero or more characters, and ends with the characters me.
allowed-referers = ac*meThe following entry indicates that a referrer is "valid" if the host name portion of the referer header matches the host header.
allowed-referers = %HOST%