ACA_SECURITY_SETTING

Product	Type
Citizen Access	System Switch

Description

This Standard Choice controls whether Citizen Access validates the referrer header in POST requests to prevent cross-site request forgery.

Standard Choice Value	Value Desc	Description
ENABLE_URL_REFERER _CHECK	Yes or No	If the Value Description is No or undefined, Citizen Access does not validate the referrer header in POST requests. If the Value Description is Yes, Citizen Access validates the referrer header. Refer to Setting ENABLE_URL_REFERER_CHECK to Yes for additional details.
TRUSTED_SITES	Enter third-party trusted sites, separated by commas.	The Value Description lists all the trusted sites whose POST requests can pass the validation by Citizen Access.

Standard Choice Value

Value Desc

Description

ENABLE_URL_REFERER _CHECK

Yes or No

If the Value Description is No or undefined, Citizen Access does not validate the referrer header in POST requests.

If the Value Description is Yes, Citizen Access validates the referrer header. Refer to Setting ENABLE_URL_REFERER_CHECK to Yes for additional details.

TRUSTED_SITES

Enter third-party trusted sites, separated by commas.

The Value Description lists all the trusted sites whose POST requests can pass the validation by Citizen Access.

Setting ENABLE_URL_REFERER_CHECK to Yes

If you set ENABLE_URL_REFERER_CHECK to Yes, and the Citizen Access servers are load balanced, you must add all the servers as trusted sites:

Add the key TrustedSites into the web.config file and add the server URLs (which can be either the IP URLs or domain URLs) in the key value. For example: <add key="TrustedSites" value="http(s)://[ACA SITE URL1]/,http(s)://[ACA SITE URL 2]/"
After the change, clear the cache in both Civic Platform and Citizen Access. ACA: click the Clear Cache button in ACA Admin. Civic Platform: Navigate to V360 Admin > Cache List portlet.