"CSRF verification failed. Request aborted" error accessing Web application with ZTNA
search cancel

"CSRF verification failed. Request aborted" error accessing Web application with ZTNA

book

Article ID: 377685

calendar_today

Updated On:

Products

Symantec ZTNA

Issue/Introduction

Multiple Web Applications setup and accessed successfully by users via ZTNA.

ZTNA admin added new Web application for Red Hat's Ansible automation platform, but users cannot login successfully after submitting credentials (login error is code returned).

Internal web server hostname defined is accessible and resolvable by connector.

CORS enabled by default with HTTP requests, along with CSRF tokens.

If the same user accesses the Application directly using the same credentials, all works fine.

Environment

Red Hat Ansible automation platform.

ZTNA.

Cause

Ansible scanning the X-FORWARDED-HOST HTTP Header to check on the header value, instead of the Host or Origin HTTP headers.

Resolution

Make sure that all X-forwarded-* HTTP headers are removed from the Web application -> advanced -> request customization fields as shown below:

Additional Information

HAR file showed that the POSTing of the users credentials triggered a 403 response from the Web server with the following payload error:

  <h1>Forbidden <span>(403)</span></h1>
  <p>CSRF verification failed. Request aborted.</p>
:    <p>Reason given for failure:</p>
    <pre>
    Origin checking failed - https://######.luminatesec.com does not match any trusted origins.
    </pre>

This proved very off-putting as the Origin HTTP header is rewritten successfully by default. The only instance of the ######.luminatesec.com came from the X-Forwarded-Host HTTP header and hence the change to remove it.