https://communities.sas.com/t5/Administration-and-Deployment/CSRF-and-asterisk-sas-web-csrf-referers-knownHosts/m-p/833569#M25062 An asterisk does not meet the format set forth in the prompt for that field, so I think you'd need to do http://*/ and https://*/. I would agree if you want to permit from any host you should instead set "sas.web.csrf.referers.performCheck" to false and restart your middle tier.<BR /><BR />Whitelist of Websites and Methods Allowed to Link to SAS Web Applications<BR /><A href="https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1xtsni38p58t3n1ljd2fy4c3joz.htm" target="_blank">https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1xtsni38p58t3n1ljd2fy4c3joz.htm</A> Thu, 15 Sep 2022 12:22:20 GMT gwootton 2022-09-15T12:22:20Z https://communities.sas.com/t5/Administration-and-Deployment/CSRF-and-asterisk-sas-web-csrf-referers-knownHosts/m-p/833557#M25059 <P>Hi!</P> <P>&nbsp;</P> <P>We have to create a situation where user needs to see some report directly and therefore the link to exact report is placed at intranet webpage menu, for example <A href="https://web.domain.dn/" target="_blank" rel="noopener">https://web.domain.dn/somewhere/somepage</A>. The link to the report is similar to &lt;https://&lt;sas_midtier_host.doman.dn&gt;:8343/SASVisualAnalyticsViewer/?reportSBIP=SBIP://METASERVER/&lt;longer-path-to-report&gt;. &nbsp;So, it means that referer for the sas_midtier_host is different.</P> <P>&nbsp;</P> <P>Now, the problem is that even if I do have asterisk at&nbsp;sas.web.csrf.referers.knownHosts value, it still gives <EM>"The referring URL has been logged on the server. Please contact your SAS Administrator if you think the referring URL should be allowed. The SAS Administrator should review the information about cross site request forgery in the&nbsp;<A href="https://support.sas.com/documentation/onlinedoc/intellplatform/index.html" target="_blank" rel="noopener">SAS Intelligence Platform documentation</A>&nbsp;for instructions about using the&nbsp;<SPAN class="setting">sas.web.csrf.referers.knownHosts</SPAN>&nbsp;setting to whitelist the referring URL."</EM>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="referer-denies.PNG" style="width: 617px;"><img src="https://communities.sas.com/t5/image/serverpage/image-id/75270iE07A0BAD056D8AD8/image-size/large?v=v2&amp;px=999" role="button" title="referer-denies.PNG" alt="referer-denies.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="referer-knownhosts-asterix.PNG" style="width: 646px;"><img src="https://communities.sas.com/t5/image/serverpage/image-id/75272i96C7C1E1CBF535DD/image-size/large?v=v2&amp;px=999" role="button" title="referer-knownhosts-asterix.PNG" alt="referer-knownhosts-asterix.PNG" /></span></P> <P>&nbsp;</P> <P>I remember the asterisk was typed while installing the environment:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="referer-asterix-typed.PNG" style="width: 577px;"><img src="https://communities.sas.com/t5/image/serverpage/image-id/75273i4E3FCEB60F339E87/image-size/large?v=v2&amp;px=999" role="button" title="referer-asterix-typed.PNG" alt="referer-asterix-typed.PNG" /></span></P> <P>&nbsp;</P> <P>The easiest solution would be turning CSFR off completely as the asterisk shouldn't restrict anybody anyway. But I'm still curious why it gives me the denial because of referer, is asterisk suitable for the cell?</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> <P>PriitL</P> <P>&nbsp;</P> Thu, 15 Sep 2022 11:19:20 GMT https://communities.sas.com/t5/Administration-and-Deployment/CSRF-and-asterisk-sas-web-csrf-referers-knownHosts/m-p/833557#M25059 PriitL 2022-09-15T11:19:20Z https://communities.sas.com/t5/Administration-and-Deployment/CSRF-and-asterisk-sas-web-csrf-referers-knownHosts/m-p/833569#M25062 An asterisk does not meet the format set forth in the prompt for that field, so I think you'd need to do http://*/ and https://*/. I would agree if you want to permit from any host you should instead set "sas.web.csrf.referers.performCheck" to false and restart your middle tier.<BR /><BR />Whitelist of Websites and Methods Allowed to Link to SAS Web Applications<BR /><A href="https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1xtsni38p58t3n1ljd2fy4c3joz.htm" target="_blank">https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1xtsni38p58t3n1ljd2fy4c3joz.htm</A> Thu, 15 Sep 2022 12:22:20 GMT https://communities.sas.com/t5/Administration-and-Deployment/CSRF-and-asterisk-sas-web-csrf-referers-knownHosts/m-p/833569#M25062 gwootton 2022-09-15T12:22:20Z https://communities.sas.com/t5/Administration-and-Deployment/CSRF-and-asterisk-sas-web-csrf-referers-knownHosts/m-p/833825#M25068 <P>Thank You for Your reply.</P> <P>&nbsp;</P> <P>Still, entries "http://*/,https://*/" do not work. The entry should be "http://*.dn/,https://*.dn/" (if domain is domain.dn for example).</P> <P>&nbsp;</P> Fri, 16 Sep 2022 12:03:52 GMT https://communities.sas.com/t5/Administration-and-Deployment/CSRF-and-asterisk-sas-web-csrf-referers-knownHosts/m-p/833825#M25068 PriitL 2022-09-16T12:03:52Z