IBM Support

How can the referer header checker be turned off in Information Server to eliminate the error "Possible Cross-Site Request Forgery Attack." in SystemOut.log?



We see the following error messages in our SystemOut.log file: SessionFactor E Possible Cross-Site Request Forgery Attack. Request URL: http:// Referer Header: http:// Is there a way to turn off the referer header checker?


By default, Information Server tries to detect cross site scripting attacks by comparing the referer HTTP header wit the actual request URL. If they are different, that error message will show in the log file.

Diagnosing The Problem

SystemOut.log contains:

[1/5/17 12:04:51:111 CDT] 000000e0 SessionFactor E   Possible Cross-Site Request Forgery Attack. Request URL: HTTP Referer Header: https://server_abcd/lineageUIService?iis="
[1/5/17 12:04:51:116 CDT] 000000e0 SessionFactor E isXsrfSafe Possible Cross-Site Request Forgery Attack.  Request URL: HTTP Referer Header: https://server_abcd/lineageUIService?iis=

Resolving The Problem

The referer checker is turned on by default as a potential mitigation for Cross-Site Request Forgery (CSRF) attacks. It is recommended that this feature only be turned off when necessary for debugging purposes. After troubleshooting is complete, the referer checker should be re-enabled and WebSphere restarted. It is not recommended that this be permanently disabled as it will leave the site more vulnerable for attacks.

If you need to turn it off, run the iisAdmin command to set to false:
cd $IS_HOME/ASBServer/bin
./ -set -key -value false

Once the command completes successfully, confirm that the referer checker is turned off:
./ -d -key

The command output should show the key is set to false.

You must restart WebSphere for this change to take effect.

A fix has been provided in ISF 11.5 Rollup 6. Alternatively, 11.5 Fix Pack 2 can be installed.

After installing the fix, the check must be turned back ON, and a comma separated list of domain names to check against should be provided. The domain name is the string after the first dot character of the referer host name. For example, if the referer URL is, then the domain name value is

  • ./ -set -key -value true
    ./ -set -key -value

Related Information

[{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.5;11.3","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
04 April 2019