enable-secret-token-validation
Use the enable-secret-token-validation stanza entry to enable secret token validation, which protects certain WebSEAL account management pages against cross-site request forgery (CSRF) attacks.
Syntax
enable-secret-token-validation = {true|false} Description
Use this
entry to enable secret
token validation, which protects certain WebSEAL account management
pages against cross-site request forgery (CSRF) attacks. If you set
this entry to true, WebSEAL adds a token to
each session and validates the "token" query argument for the following
account management requests:
- /pkmslogin.form
- /pkmslogout
- /pkmslogout-nomas
- /pkmssu.form
- /pkmsskip
- /pkmsdisplace
- /pkmspaswd.form
- /pkmsoidc
If secret token validation is enabled and the token argument is missing from the request or does not match the session token, WebSEAL returns an error page. For more information about secret token validation, search for "CSRF" in the IBM Verify Identity Access: Web Reverse Proxy Configuration Guide.
Options
- true
- WebSEAL uses secret token validation to protect against CSRF attacks.Note: This setting modifies the URLs for the affected WebSEAL management pages. Each of these management requests must contain a "token" argument with the current session token.
- false
- WebSEAL does not use secret token validation.
Usage
This stanza entry is optional.
Default value
false
Example
enable-secret-token-validation = true