Configure referrer validation

The Sitefinity CMS Web Security module provides you a with configurable protection mechanism against Cross-Site Request Forgery (CSRF) attacks. This way you can prevent scenarios like an attacker misleading an already authenticated user into executing malicious code when the site changes state. The CSRF attacks are possible since once a user is successfully authenticated to the site, the site has no way to distinguish between a legitimate request that occurs while the user is browsing the site, or a forged request that the attacker has fooled the user into executing. The Referrer validation mechanism of Sitefinity CMS Web Security module prevents CSRF attacks via introducing a whitelist of domains the external requests to the website can originate from. By default, this list contains your licensed domains and site domains only. This way, any calls to your website services that originate from domains other than the ones configured in the Referrer validation whitelist will be blocked.

Referrer validation settings

You can enable or disable the referrer validation mechanism and configure the whitelist of allowed domains.

To access the referrer validation configuration, perform the following:

  1. In Sitefinity CMS backend, navigate to Administration » Settings » Advanced.
  2. In the tree on the left, expand WebSecurity and click on ReferrerValidation

You can control the redirect validation behavior by modifying the following properties:

  • Disable centralized referrer validation
    This property controls whether the referrer validation mechanism is enabled. When checked, the centralized referrer validation does not block external requests coming from non-trusted origins.

    NOTE: By default, the referrer validation mechanism is enabled for all websites running on Sitefinity CMS version 12.0 and later.

  • Trusted locations
    This property enables you to specify a comma-separated list of domains that you consider trusted. The referrer validation mechanism will not block external requests coming from these domains. By default, the website domains, included in your Sitefinity CMS license are considered trusted.

Was this article helpful?