How to: Configure a custom CSRF URL wildcard and myurl¶
In the following example, the policy is configured with the following items:
Enable CSRF Protection globally (violation already in
Alarmmode in the default policy).Delete the default wildcard CSRF URL and define a new custom one.
Define a policy-wide hostname domain with subdomains.
Add a custom URL “myurl” where CSRF enforcement is enabled, and define a custom origin for this URL.
{
"policy": {
"applicationLanguage": "utf-8",
"name": "example_3",
"template": {
"name": "POLICY_TEMPLATE_FUNDAMENTAL"
},
"blocking-settings": {
"violations": [
{
"name": "VIOL_CSRF",
"alarm": true,
"block": true
}
]
},
"csrf-protection": {
"enabled": "true"
},
"csrf-urls": [
{
"enforcementAction": "verify-origin",
"method": "POST",
"url": "/csrfurl"
}
],
"host-names": [
{
"name": "example.com",
"includeSubdomains": true
}
],
"urls": [
{
"name": "/myurl",
"html5CrossOriginRequestsEnforcement": {
"enforcementMode": "enforce",
"crossDomainAllowedOrigin": [
{
"includeSubDomains": false,
"originName": "foo.com",
"originPort": "all",
"originProtocol": "http/https"
}
]
}
}
]
}
}