Referrer validation
To help mitigate CSRF attacks, we can configure WebSEAL to validate the referer header in incoming HTTP requests. WebSEAL compares this referer header with a list of configured allowed-referers to determine Whether the request is valid. Referrer validation affects the following WebSEAL management pages:
- /pkmslogout
- /pkmslogout-nomas
- /pkmspasswd.form
- /pkmscdsso
- /pkmsvouchfor
- /pkmsskip
- /pkmsdisplace
Use the allowed-referers configuration entry in the [acnt-mgt] stanza to define valid referer headers. The value for this entry can contain alphanumeric characters, spaces, periods, and wildcard characters. We can specify this entry multiple times to define multiple valid referer headers. WebSEAL uses all of these entries to validate the referrer.
We can set the allowed-referers to %HOST%, which is a special filter. This filter indicates to WebSEAL that a referrer is valid if the host name portion of the referer HTTP Request header matches the host HTTP Request header.
If we want WebSEAL to use referrer validation, we must include at least one allowed-referers entry. For example:
[acnt-mgt]
allowed-referers = %HOST%
When attempting to validate an incoming request, if WebSEAL does not find an allowed-referers entry matching the referer header in the request then the request fails. WebSEAL returns an error page.
If there are no allowed-referers entries, referrer validation is disabled and WebSEAL does not validate the referer headers in incoming requests.
Parent topic: Prevention of Cross-site Request Forgery (CSRF) attacks