The Sitefinity CMS Web Security module provides you a with configurable protection mechanism against Cross-Site Request Forgery (CSRF) attacks. This way you can prevent scenarios like an attacker misleading an already authenticated user into executing malicious code when the site changes state. The CSRF attacks are possible since once a user is successfully authenticated to the site, the site has no way to distinguish between a legitimate request that occurs while the user is browsing the site, or a forged request that the attacker has fooled the user into executing. The Referrer validation mechanism of Sitefinity CMS Web Security module prevents CSRF attacks via introducing a whitelist of domains the external requests to the website can originate from. By default, this list contains your licensed domains and site domains only. This way, any calls to your website services that originate from domains other than the ones configured in the Referrer validation whitelist will be blocked.
You can enable or disable the referrer validation mechanism and configure the whitelist of allowed domains.
To access the referrer validation configuration, perform the following:
You can control the referrer validation behavior by modifying the following properties:
NOTE: By default, the referrer validation mechanism is enabled for all websites running on Sitefinity CMS version 12.0 and later.
Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.
This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.
This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.
The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.
To submit feedback, please update your cookie settings and allow the usage of Functional cookies.
Your feedback about this content is important