Cross Site Request Forgery prevention in CA API Developer Portal
search cancel

Cross Site Request Forgery prevention in CA API Developer Portal


Article ID: 6456


Updated On:


CA API Developer Portal CA API Gateway


This article addresses the scenarios which reflects a Cross-Site Request Forgery(CSRF) attack. The CSRF attack was viable by using a malicious HTML file.

For example the HTML code can change the user profile if the user is already logged to portal.


Release: L7APIP99000-3.5-API Developer Portal-Perpetual


One way to prevent the CSRF attack would be to enable referer check. Referer check would match the Host header with the Referer Header in the request.

When referer check is set to no or false in following file  /SYSTEM/conf/properties.xml cmsConfig.enableRefererCheck , then portal is exploitable.


Please use the following steps to address CSRF attack 

1. Login into /admin 

2. Navigate to /admin?action=list&path=/SYSTEM/conf 

3. Edit the properties file to the following values if not set already 

<Property name="cmsConfig.enableRefererCheck" value="true" /> 
<Property name="" value="true" /> 
<Property name="" value="SAMEORIGIN" /> 

4. Save the file and republish the file (click the green arrow) 

5. As a quick test to see if the referer check is working correctly, you should not be able to navigate by cutting and pasting into the URL bar (for example, if you're at /admin?action=home then you can't cut and paste to get to /admin?action=list&path=/resources) 

The 403 forbidden message would be shown.

Additional Information

Prior to CR4 you would set cmsConfig.enableRefererCheck value to yes

<Property name="cmsConfig.enableRefererCheck" value="yes" /> 
<Property name="" value="true" /> 
<Property name="" value="SAMEORIGIN" />

But if you suspect Cross-Site (XSS) issues please update to the latest CR as many Cross-Site concerns have been addressed.