Configure referrer validation


The Sitefinity CMS Web Security module provides you a with configurable protection mechanism against Cross-Site Request Forgery (CSRF) attacks. This way you can prevent scenarios like an attacker misleading an already authenticated user into executing malicious code when the site changes state. The CSRF attacks are possible since once a user is successfully authenticated to the site, the site has no way to distinguish between a legitimate request that occurs while the user is browsing the site, or a forged request that the attacker has fooled the user into executing. The Referrer validation mechanism of Sitefinity CMS Web Security module prevents CSRF attacks via introducing a whitelist of domains the external requests to the website can originate from. By default, this list contains your licensed domains and site domains only. This way, any calls to your website services that originate from domains other than the ones configured in the Referrer validation whitelist will be blocked.

Referrer validation settings

You can enable or disable the referrer validation mechanism and configure the whitelist of allowed domains.

To access the referrer validation configuration, perform the following:

  1. In Sitefinity CMS backend, navigate to Administration » Settings » Advanced.
  2. In the tree on the left, expand WebSecurity and click on ReferrerValidation


You can control the referrer validation behavior by modifying the following properties:

  • Disable centralized referrer validation
    This property controls whether the referrer validation mechanism is enabled. When checked, the centralized referrer validation does not block external requests coming from non-trusted origins.

    NOTE: By default, the referrer validation mechanism is enabled for all websites running on Sitefinity CMS version 12.0 and later.

  • Trusted locations
    This property enables you to specify a comma-separated list of domains that you consider trusted. The referrer validation mechanism will not block external requests coming from these domains. By default, the website domains, included in your Sitefinity CMS license are considered trusted.

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?