Cross-site forgery

Possible cross-site request forgery

RT has detected a possible cross-site request forgery for this request, because the Referrer header supplied by your browser (domain.com:443) is not allowed by RT’s configured hostname (domain.com:80). A malicious attacker may be trying to modify RT’s configuration on your behalf. If you did not initiate this request, then you should alert your security team.

I have tried setting Set( $WebPort, ‘443’ ); and Set( $WebPort, ‘80’ ); but i still get the same warning above.

FYI, I solved my issue using Set(@ReferrerWhitelist, qw());

1 Like

I’ve tried adding this line, as well as Set(ReferrerWhitelist,qw(localhost:80,127.0.0.1:80)); to the /etc/rt4/etc/RT_SiteConfig.pm file, to no avail. Is this the correct file?

correction: Set(@ReferrerWhitelist,qw(localhost:80,127.0.0.1:80));

Where to set that setting??

Hi @vladop, in RT_SiteConfig.pm

I’m having this same issue. I installed the site http and installed a cert and it is now HTTPS but I keep getting the forgery notice that is wanting to take it http.

I tried the whitelist setting, I’ve tried everything I found on google with no success.

Any pointers to get this forgery warning gone?

Having the same issue now with HTTPS, did you ever figure this out?

Did you update WebBaseURL in RT_SiteConfig.pm to be https?
Is it always complaining or just once in a while?

I realized I was not pushing the right RT config file, so my web server was running on 443 but RT did not have the new config with the accepted ports. Running it through docker-compose. Thank you for the help!

Thanks for this its really cleared all of my confusion about cross-site forgery. Thanks again