Hi, I need some help with configuring the CSRF on our application. For our application we need to set the samesite cookie attribute on strict. This is due to security guidelines. As a consequence of this change I am not able to refer to our application from a wiki page. When I enter our application URL in the browser the (SAML) login screen is loaded. When I refer to our application from the wiki page I get redirected to another place due to my application configuration.
According to the documentation (Pegasystems Documentation) I found this is because the wiki I come from is not configured as an allowed referrer.
However when I configure the wiki page as allowed referrer it still does not work(See screenshot). I am using the value taken from the HTTP request headers referer value.
@SebastiaanH your screenshot did not attach to your post - could you provide it again?
To configure the CSRF settings in Pega, you need to go to the Cross-Site Request Forgery settings in Dev Studio. Here, you can add the URL of your wiki page to the “Allowed referrers” field. Make sure to enter the exact URL as it appears in the HTTP request header’s referer value. If you have enabled the “Allow domains only if matches exactly with Referrer” checkbox, only the exact match will be valid. After making these changes, click “Submit”. If you changed the value of “Enable CSRF token check”, you must restart your system for the new value to take effect. If the issue persists, it might be due to other factors not covered in the provided context.
This is a GenAI-powered tool. All generated answers require validation against the provided references.
Another try for the screenshot. I added it as PDF. I tryed the options you wrote down. None of the work. I also looked at the suggested links before. I am doing what is written there.
I also created an SR to get some more detailed answers on why this is not working for me.
@SebastiaanH s INC-B9240 has been closed with the following solution:
The feedback from the SME on this issue:
Taking into account the configuration that is done in your environment, you can use Same Site cookie option set to “Lax”. Option “Strict” is not allowed in this use case.
This is a GenAI-powered tool. All generated answers require validation against the provided references.