ACA_SECURITY_SETTING

Product

Citizen Access

Type

System Switch

Description

This Standard Choice controls whether Citizen Access validates the referer header in POST requests to prevent cross-site request forgery.

An enhancement was introduced in 7.3.3.7.1 which corrected the URL for secure payments made in ACA via the Govolution payment provider.

Table 1. ACA_SECURITY_SETTINGS Standard Choice Values
Standard Choice Values Value Description Description
ENABLE_URL_REFERER _CHECK Yes or No If the Value Description is No or undefined, Citizen Access does not validate the referer header in POST requests.

If you are using Govolution for your payment provider you must set this value to No. Refer to Setting ENABLE_URL_REFERER_CHECK to No for additional details.

If the Value Description is Yes, Citizen Access validates the referer header. Refer to Setting ENABLE_URL_REFERER_CHECK to Yes for additional details.
TRUSTED_SITES Enter third-party trusted sites, separated by commas. The Value Description lists all the trusted sites whose POST requests can pass the validation by Citizen Access.

If you are using Govolution for your payment provider you must list all Govolution urls (total of 6) and the DATA2 Hosturl from the X-POLICY table, each separated by a comma.

Setting ENABLE_URL_REFERER_CHECK to Yes

If you set ENABLE_URL_REFERER_CHECK to Yes, and the Citizen Access servers are load balanced, you must add all the servers as trusted sites:

  1. Add the key TrustedSites into the web.config file and add the server URLs (which can be either the IP URLs or domain URLs) in the key value. For example: <add key="TrustedSites" value="http(s)://[ACA SITE URL1]/,http(s)://[ACA SITE URL 2]/"
  2. After the change, clear the cache in both Civic Platform and Citizen Access. ACA: click the Clear Cache button in ACA Admin. Civic Platform: Navigate to V360 Admin > Cache List portlet.

Setting ENABLE_URL_REFERER_CHECK to No

If you set ENABLE_URL_REFERER_CHECK to No, which is the use case for the Govolution payment processor, follow these additional steps:

  1. The TRUSTED_SITES value description must list all Govolution urls (total of 6) and the DATA2 Hosturl from the X-POLICY table, each separated by a comma, as shown in these sample screenshots:

    X-POLICY Table:

    TRUSTED_SITES Value Desc for Govolution:
  2. After the change, clear the cache in both Civic Platform and Citizen Access. ACA: click the Clear Cache button in ACA Admin. Civic Platform: Navigate to V360 Admin > Cache List portlet.