ASM insert CSRF although not specify URL

Question

Hi&nbsp;
We're using LTM/ASM with v.12.1.3&nbsp;
and right now we see issue as we have enable CSRF protection but we didn't specify and URL in URL list.&nbsp;
From my understanding, F5 should insert csrf in case we specify URL in URL list.&nbsp;
Why F5 insert it although we not specift URL list?&nbsp;
Is it a bug?&nbsp;
ps1. we have issue when using IE11 but we didn't have issue when using chrome.
ps2. when using IE11, issue is occur intermittently.&nbsp;
Thank you&nbsp;

boggs_5738 · Answer

see https://support.f5.com/csp/article/K11930 | Configuring CSRF protection&nbsp;
In the URLs List, click the URLs you want the system to examine.&nbsp;
Add at least one URL to the list. The system considers all URLs that are not in the list to be safe, unless another problem is discovered.&nbsp;
Note: Type the URL in the format: /index.html, /*/index.php, or /index.?html.&nbsp;
if you enable the CSRF feature, you need to specify a URL.&nbsp;

piotrek_72347 · Answer

can you please share with us print screen with csrf protection configuration ?&nbsp;

kridsana · Answer

FYI&nbsp;
We found this known issue which is a root cause for this case.&nbsp;
https://support.f5.com/csp/article/K13904&nbsp;

Forum Discussion

ASM insert CSRF although not specify URL

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Integrate BIG-IP with AWS CloudWAN Service Insertion

Security Headers Insertion

C3D and header insert

iRule Header Insert

iRule header insert

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS