Forum Discussion

kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
Feb 16, 2018

ASM insert CSRF although not specify URL

Hi

 

We're using LTM/ASM with v.12.1.3

 

and right now we see issue as we have enable CSRF protection but we didn't specify and URL in URL list.

 

From my understanding, F5 should insert csrf in case we specify URL in URL list.

 

Why F5 insert it although we not specift URL list?

 

Is it a bug?

 

ps1. we have issue when using IE11 but we didn't have issue when using chrome. ps2. when using IE11, issue is occur intermittently.

 

Thank you

 

  • see https://support.f5.com/csp/article/K11930 | Configuring CSRF protection

     

    In the URLs List, click the URLs you want the system to examine.

     

    Add at least one URL to the list. The system considers all URLs that are not in the list to be safe, unless another problem is discovered.

     

    Note: Type the URL in the format: /index.html, /*/index.php, or /index.?html.

     

    if you enable the CSRF feature, you need to specify a URL.

     

  • can you please share with us print screen with csrf protection configuration ?