Configuring the Referer Header

If the referer header in a request is not validated, the application can be vulnerable to Cross-Site Request Forgery (CSRF) attacks.

For this reason, the referer header is strictly validated, as follows:

  • The referer header must match the domain of the ActiveMatrix BPM runtime server.
  • If any other domain is required as a valid referer header, it must be added to a node-level JVM property as described below.

If the referer header is not configured as described in this procedure, single sign-on authentication will fail.

Note: The referer header can be used for both OpenID Connect and SAML Web Profile authentication.

Procedure

  1. In ActiveMatrix Administrator, select Infrastructure > Nodes.
  2. In the Nodes list, select BPMNode.
  3. In the lower pane, select the Configuration tab.
  4. Select the JVM Configuration link.
    The Properties section lists the existing JVM properties defined for the BPMNode.
  5. Click Add, and add the following JVM property:

    java.property.com.tibco.amf.hpa.tibcohost.jetty.httpconnector.allowed.referers

  6. For the value of the newly added property, specify the domain of the referer, for example, "accounts.google.com".
    Note: If you need to add "accounts.google.com" and "mail.google.com", you can specify just "google.com".
  7. Click Save.
  8. Stop, then restart the BPMNode to have your changes take effect:
    1. Select the BPMNode in the Nodes list.
    2. Click Stop.
    3. When the Node State column shows that the node is stopped, click Install or Sync.
      This applies the configuration changes.
    4. Click Start.