CSRF Protection Query

Question

Hello,&nbsp;
&nbsp;Have a query on CSRF protection. In ASM in Policies --&gt;CSRF Protection screen , the user needs to specify the specific URLs of the webapp to protect. I ran a appscan scan on my webapp(for URL discovery) and it threw about 700+ application URLs.  &nbsp;
&nbsp;Query:
&nbsp;Does this mean i need to specify all these specific application URLs to completely protect my site or is three any other way to do this.&nbsp;
&nbsp;regards,
&nbsp;Nik&nbsp;&nbsp;&nbsp;

hoolio · Answer

Hi Nik, 
&nbsp;  
&nbsp; Can you use wildcards for this?  At least in 11.1 ASM supports wildcards for the CSRF URL list. 
&nbsp;  
&nbsp; Aaron

nik_67256 · Answer

&nbsp; Hello Aaron,  
&nbsp;  
&nbsp; I have asm 10.2.2 running. I did try  the wildcard expression, but dont think it works  
&nbsp;  
&nbsp; I added https://siteURL/* in the CSRF protection page. I then did a explore with a scanner which conducted the CSRF  
&nbsp; tests. However the asm traffic learning screen did not flag it as an event. 
&nbsp;  
&nbsp; Queries  
&nbsp; 1) Firstly, Will this approach (described above) work in asm version 11 
&nbsp; 2) How can CSRF protection be achieved in asm version 10.2.2 
&nbsp;  
&nbsp; regards 
&nbsp; Nik

Forum Discussion

CSRF Protection Query

2 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP in https that redirect to another vip in https

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

F5 XC 503 upstream_reset_before_response_started{protocol_error}

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Related Content

How To Protect Your Applications from Cross Site Request Forgery (CSRF) with F5 Distributed Cloud

L7 DoS Protection with NGINX App Protect DoS

F5 API Security: Discovery and Protection

Cookie-based DDoS protection

NGINX App Protect v5 Signature Notifications

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS