How to: Define a custom CSRF URL and policy-wide host-name domain without subdomains¶
In the following example, the policy is configured with the following items:
Enable CSRF Protection globally (in
Block
mode).Delete the default wildcard CSRF URL and define a new custom one.
Define a policy-wide hostname domain without its subdomains.
{
"policy": {
"applicationLanguage": "utf-8",
"name": "example_2",
"template": {
"name": "POLICY_TEMPLATE_FUNDAMENTAL"
},
"blocking-settings": {
"violations": [
{
"name": "VIOL_CSRF",
"alarm": true,
"block": true
}
]
},
"csrf-protection": {
"enabled": "true"
},
"csrf-urls": [
{
"enforcementAction": "verify-origin",
"method": "POST",
"url": "/operation.aspx"
}
],
"host-names": [
{
"name": "example.com",
"includeSubdomains": false
}
]
}
}