Topics

All topics

Configure referrer validation

Overview

The Sitefinity CMS Web Security module provides you a with configurable protection mechanism against Cross-Site Request Forgery (CSRF) attacks. This way you can prevent scenarios like an attacker misleading an already authenticated user into executing malicious code when the site changes state. The CSRF attacks are possible since once a user is successfully authenticated to the site, the site has no way to distinguish between a legitimate request that occurs while the user is browsing the site, or a forged request that the attacker has fooled the user into executing. The Referrer validation mechanism of Sitefinity CMS Web Security module prevents CSRF attacks via introducing a whitelist of domains the external requests to the website can originate from. By default, this list contains your licensed domains and site domains only. This way, any calls to your website services that originate from domains other than the ones configured in the Referrer validation whitelist will be blocked.

Referrer validation settings

You can enable or disable the referrer validation mechanism and configure the whitelist of allowed domains.

To access the referrer validation configuration, perform the following:

In Sitefinity CMS backend, navigate to Administration » Settings » Advanced.
In the tree on the left, expand WebSecurity and click on ReferrerValidation

Properties

You can control the referrer validation behavior by modifying the following properties:

Disable centralized referrer validation
This property controls whether the referrer validation mechanism is enabled. When checked, the centralized referrer validation does not block external requests coming from non-trusted origins.
NOTE: By default, the referrer validation mechanism is enabled for all websites running on Sitefinity CMS version 12.0 and later.
Trusted locations
This property enables you to specify a comma-separated list of domains that you consider trusted. The referrer validation mechanism will not block external requests coming from these domains. By default, the website domains, included in your Sitefinity CMS license are considered trusted.

Additional resources

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Web Security for Sitefinity Administrators

The free standalone Web Security lesson teaches administrators how to protect your websites and Sitefinity instance from external threats. Learn to configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?

Yes No

Would you like to submit additional feedback?

Your feedback about this content is important

How helpful is this article?

Very helpful Somewhat helpful Not helpful

How can we improve this article?(Optional)

Fix typos or links

Fix incorrect information

Add or update code samples

Add or update illustrations

Add information about...

Send feedback Cancel

Configure cookies protection