Validating Refer Header in POST Requests

You can follow the steps below to enable Citizen Access to validate the referer header in POST requests

To set up refer header validation

  1. Add a Standard Choice ACA_SECURITY_SETTING with two values: ENABLE_URL_REFERER_CHECK and TRUSTED_SITES.

    • Set the Value Description of ENABLE_URL_REFERER_CHECK to Yes. If the Value Description is No or undefined, Citizen Access does not validate the referer header in POST requests.

    • Add third-party trusted sites in the Value Description of TRUSTED_SITES.

  2. If the Citizen Access servers are load balanced, add the key TrustedSites into the web.config file and add all the Citizen Access server URLs (which can be either the IP URLs or domain URLs) in the key value. For example:

    <add key="TrustedSites" value="http(s)://[ACA SITE URL 1]/,http(s)://[ACA SITE URL 2]/"
  3. Click the Clear Cache button in ACA Admin, or restart the Citizen Access servers, to make all the settings take effect.