Cross-site forgery

Possible cross-site request forgery

RT has detected a possible cross-site request forgery for this request, because the Referrer header supplied by your browser ( is not allowed by RT’s configured hostname ( A malicious attacker may be trying to modify RT’s configuration on your behalf. If you did not initiate this request, then you should alert your security team.

I have tried setting Set( $WebPort, ‘443’ ); and Set( $WebPort, ‘80’ ); but i still get the same warning above.

FYI, I solved my issue using Set(@ReferrerWhitelist, qw());

1 Like

I’ve tried adding this line, as well as Set(ReferrerWhitelist,qw(localhost:80,; to the /etc/rt4/etc/ file, to no avail. Is this the correct file?

correction: Set(@ReferrerWhitelist,qw(localhost:80,;

Where to set that setting??

Hi @vladop, in

I’m having this same issue. I installed the site http and installed a cert and it is now HTTPS but I keep getting the forgery notice that is wanting to take it http.

I tried the whitelist setting, I’ve tried everything I found on google with no success.

Any pointers to get this forgery warning gone?

Having the same issue now with HTTPS, did you ever figure this out?

Did you update WebBaseURL in to be https?
Is it always complaining or just once in a while?

I realized I was not pushing the right RT config file, so my web server was running on 443 but RT did not have the new config with the accepted ports. Running it through docker-compose. Thank you for the help!

Thanks for this its really cleared all of my confusion about cross-site forgery. Thanks again


I worked out a fix to this issue by adding the below line to the file /etc/rt4/etc/ ( Location may vary depending on you installed version) for me it was opt/rt5/etc/

Set(@ReferrerWhitelist, qw(localhost:80;

You can add the hostname/IP address with which you are trying to access the RT.

1 Like

mjohnston’s answer (Sep 2021) probably has a stray comma after the first “80”. Lists in qw() are separated by spaces. Unless the code parsing this entry does a subsequent split on commas, the quoted code will treat “localhost:80,” as a single address.