How to: Define a custom CSRF URL and policy-wide host-name domain without subdomains

In the following example, the policy is configured with the following items:

  • Enable CSRF Protection globally (in Block mode).

  • Delete the default wildcard CSRF URL and define a new custom one.

  • Define a policy-wide hostname domain without its subdomains.

{
    "policy": {
        "applicationLanguage": "utf-8",
        "name": "example_2",
        "template": {
            "name": "POLICY_TEMPLATE_FUNDAMENTAL"
        },
        "blocking-settings": {
            "violations": [
                {
                    "name": "VIOL_CSRF",
                    "alarm": true,
                    "block": true
                }
            ]
        },
        "csrf-protection": {
            "enabled": "true"
        },
        "csrf-urls": [
            {
                "enforcementAction": "verify-origin",
                "method": "POST",
                "url": "/operation.aspx"
            }
        ],
        "host-names": [
            {
                "name": "example.com",
                "includeSubdomains": false
            }
        ]
    }
}