ASM insert CSRF although not specify URL

Question

Hi&nbsp;
We're using LTM/ASM with v.12.1.3&nbsp;
and right now we see issue as we have enable CSRF protection but we didn't specify and URL in URL list.&nbsp;
From my understanding, F5 should insert csrf in case we specify URL in URL list.&nbsp;
Why F5 insert it although we not specift URL list?&nbsp;
Is it a bug?&nbsp;
ps1. we have issue when using IE11 but we didn't have issue when using chrome.
ps2. when using IE11, issue is occur intermittently.&nbsp;
Thank you&nbsp;

boggs_5738 · Answer

see https://support.f5.com/csp/article/K11930 | Configuring CSRF protection&nbsp;
In the URLs List, click the URLs you want the system to examine.&nbsp;
Add at least one URL to the list. The system considers all URLs that are not in the list to be safe, unless another problem is discovered.&nbsp;
Note: Type the URL in the format: /index.html, /*/index.php, or /index.?html.&nbsp;
if you enable the CSRF feature, you need to specify a URL.&nbsp;

piotrek_72347 · Answer

can you please share with us print screen with csrf protection configuration ?&nbsp;

kridsana · Answer

FYI&nbsp;
We found this known issue which is a root cause for this case.&nbsp;
https://support.f5.com/csp/article/K13904&nbsp;

Forum Discussion

ASM insert CSRF although not specify URL

3 Replies

Recent Discussions

monitor a pool that consists of Linux Squid Servers

CWE-20: Improper Input Validation

Reliable resources for identifying IP addresses

VPN fragmented IP packets dropped

Reset cause

Related Content

Security Headers Insertion

C3D and header insert

iRule Header Insert

iRule header insert

Insert Basic Auth Header