How allowed referrers work

AEM Forms provide referrer filtering, which can help prevent CSRF attacks. Here is how referrer filtering works:

  1. The Forms Server checks the HTTP method used for invocation:

    • If it is POST, the Forms Server performs the referrer header check.
    • If it is GET, the Forms Server bypasses the referrer check, unless CSRF_CHECK_GETS is set to true, in which case it performs the referrer header check. CSRF_CHECK_GETS is specified in the web.xml file for your application. (See “Protecting from Cross-Site Request Forgery attacks” in Hardening and Security guide.)
  2. The Forms Server checks whether the requested URI is allowlisted:

    • If the URI is allowlisted, the server passes the request.
    • If the requested URI is not allowlisted, the server retrieves the referrer of the request.
  3. If there is a referrer in the request, the server checks whether it is an allowed referrer. If it is allowed, the server checks for a referrer exception:

    • If it is an exception, the request is blocked.
    • If it is not an exception, the request is passed.
  4. If there is no referrer in the request, the server checks whether a null referrer is allowed.

    • If a null referrer is allowed, the request is passed.
    • If a null referrer is not allowed, the server checks whether the requested URI is an exception for null referrer and handles the request accordingly.

Configure allowed referrers

When you run Configuration Manager, the default host and IP address or the Forms Server are added to the Allowed Referrer list. You can edit this list in administration console.

  1. In administration console, click Settings > User Management > Configuration > Configure Allowed Referrer URL’s. The Allowed Referrer list appears at the bottom of the page.

  2. To add an allowed referrer:

    • Type a host name or IP address in the Allowed Referrers box. To add more than one allowed referrer at a time, type each host name or IP address on a new line.
    • In the HTTP Port and HTTPS Ports boxes, specify which ports to allow for HTTP, HTTPS, or both. If you leave those boxes empty, the default ports (port 80 for HTTP and port 443 for HTTPS) are used. If you enter 0 (zero) in the boxes, all ports on that server are enabled. You can also enter a specific port number to enable only that port.
    • Click Add.
  3. To remove entry from the Allowed Referrer list, select the item from the list and click Delete.

    If the Allowed Referrer List is empty, the CSRF feature stops working and the system becomes insecure.

  4. After changing the Allowed Referrer list, restart the AEM Forms Server.

recommendation-more-help