This section explains XSRF related configuration for web security.
Enabling/Disabling XSRF feature
Using websecurity.xsrf.enabled parameter, you can enable the XSRF feature in the portal server. For that you have to set this parameter to true in bmwebsecurity.conf file. By default this functionality is not enabled.
Enabling/Disabling tracing for XSRF
Using websecurity.xsrf.trace parameter, you can enable the tracing for XSRF component. For that you have to set this parameter to true in bmwebsecurity.conf file. By default this functionality is not enabled and only the information messages are logged into bmwebsecurity.log file.
Setting up oebps.front.host parameter
Value for this parameter is a comma separated list of hosts which are exposed to access the system. Not specifying this parameter or keeping it empty will disable corresponding RefXSRF filter.
Here are some recommendations to setup oebps.front.host parameter.
Specify localhost in the list recommended for development instances.
Specify long and short notation (when base domain details omitted) for production systems.
For example, if BPM machine name is bpm, and the domain name is visa.com then the bpm, and bpm.visa.com entries should be specified.
Specify localhost in the list recommended for development instances.
