Configure cross-site request forgery settings (CSRF) to prevent users from
unintentionally making changes because of a CSRF attack. You can set validation for
activities and streams, add host names to a whitelist, and specify host names that you want
checked for a CSRF token.
-
Click .
-
Select the Enable CSRF token check check box.
This check box causes all Pega URLs to include a CSRF token. All HTTP requests
must pass the CSRF token as part of the URL.
-
Select one of the following Secure fields:
- All activities & streams
- CSRF validation checks all activities and streams for CSRF tokens in
your system. If you select this option, you can specify certain
streams and activities to be excluded from CSRF token validation by
entering them in the Allowed Activities field
and the Allowed Streams field. Separate
multiple activities and streams by commas.
- Specific activities & streams
- CSRF validation checks the activities and streams that you specify
in the Secured Activites and
Secured Streams fields for CSRF tokens.
Separate multiple activities and streams by commas.
- Optional:
To whitelist host names that are ignored during CSRF token validation, perform
the following actions.
-
In the Referrer Settings section, select the
Enable referrer check check box.
-
In the Allowed referrers field, enter host names
that you want to be checked for a CSRF token. Separate multiple host
names by commas.
-
Click Submit.
What to do next: You must restart your system after changing CSRF
settings.