ACA_SECURITY_SETTING

Product Type
Citizen Access System Switch

Description

This Standard Choice controls whether Citizen Access validates the referrer header in POST requests to prevent cross-site request forgery.

Standard Choice Value Value Desc Description
ENABLE_URL_REFERER _CHECK Yes or No

If the Value Description is No or undefined, Citizen Access does not validate the referrer header in POST requests.

If the Value Description is Yes, Citizen Access validates the referrer header. Refer to Setting ENABLE_URL_REFERER_CHECK to Yes for additional details.

TRUSTED_SITES Enter third-party trusted sites, separated by commas. The Value Description lists all the trusted sites whose POST requests can pass the validation by Citizen Access.

Setting ENABLE_URL_REFERER_CHECK to Yes

If you set ENABLE_URL_REFERER_CHECK to Yes, and the Citizen Access servers are load balanced, you must add all the servers as trusted sites:

  1. Add the key TrustedSites into the web.config file and add the server URLs (which can be either the IP URLs or domain URLs) in the key value. For example: <add key="TrustedSites" value="http(s)://[ACA SITE URL1]/,http(s)://[ACA SITE URL 2]/"
  2. After the change, clear the cache in both Civic Platform and Citizen Access. ACA: click the Clear Cache button in ACA Admin. Civic Platform: Navigate to V360 Admin > Cache List portlet.