allowed-referers

Use the allowed-referers stanza entry to specify which referrers can request management pages.

Syntax

Description

For protection against cross-site request forgery (CSRF) attacks, you can configure WebSEAL to validate the HTTP Request referer header for all account management pages. WebSEAL uses the value that is provided for this configuration entry to determine whether the referrer host name in an incoming request is "valid".

If this entry is configured, when WebSEAL receives a request for an account management page, WebSEAL:
  1. Checks whether the referer header is present in the HTTP Request header.
  2. Validates the host name portion of that referrer against the allowed-referers entries.
If WebSEAL finds that an incoming request does not match any of the configured allowed-referers filters, the request fails and WebSEAL returns an error page. Entries can contain the following wildcard characters:

You can use the value %HOST% for this entry. This value is a special filter, which indicates to WebSEAL that a referrer is "valid" if the host name portion of the referer header matches the host header.

If there are no allowed-referers entries then WebSEAL does not complete this validation.

You can specify this entry multiple times to define multiple "allowed" referrer filters. WebSEAL uses all of these entries to validate the referrer.

For more information about referrer validation, search for "CSRF" in the IBM Security Verify Access: Web Reverse Proxy Configuration Guide.

Options

referer_filter
Specifies a filter for a referrer host name that WebSEAL can accept as "valid".

Usage

This stanza entry is optional.

Default value

None.

Example

The following entry matches any referrer host name that begins with the characters ac, followed by zero or more characters, and ends with the characters me.

The following entry indicates that a referrer is "valid" if the host name portion of the referer header matches the host header.

Parent topic: [acnt-mgt] stanza