You have to include that setting in the forums’ “code” tags, otherwise the brackets are lost, with everything inside them. I don’t know what option your are referring to.
And perhaps explain better what you’re trying to do and why do you think you need to do it. There have been recent posts about CSRF and recent security fixes (many). Although I don’t know much about CSRF, I’d like to try to understand better what concerns you might have.
Thanks for the reply. I think you are right that whitelisting all actions is vulnerable thing.
I need to know the list of actions because user always get errors when they need to do something and need to ask developer to whitelist the action.
if I could choose which actions should be whitelisted for them, users don’t have to face this problem and everyone would happy.
So, could you help me to show the list of all actions for this config?
I think the problem is we are using network load balancer so there are multiple instances of web server.
For example, user sees suiteCRM from instance A for the first time.
After that, user interacts with the system (e.g. create lead, update account, etc) and the load balancer distributes it to another instance.
So, CSRF is detected.
Is there any way to make suiteCRM could run well even using network load balancer?
You can try repeating the question here, with reference to load-balancing in the title (better: your specific kind of load-balancer hardware/software). Or perhaps you can better replies in that load-balancer’s support site.
We have removed the load balancer and using 1 instance only. But, the SuiteCRM still produce CSRF message. We don’t find this problem in local machine. One more thing, we deploy SuiteCRM automatically using Jenkins from GitHub push. Is there any setting for SuiteCRM to allow Jenkins CI/CD?
I have installed SuiteCRM dozens of times and I never had any CSRF messages. Maybe it’s something peculiar in your set up, maybe it’s one of the recent security fixes.
How exactly do you deploy (I don’t know what Jenkins is)?
You can pull the files from GitHub, but then you always have to set permissions, and run the installer (although there is a silent install option that you can run automatically). Only then SuiteCRM is installed.
Another couple of things you can check:
Any weird Apache options that could be causing this? Any .htaccess settings?
Settings in config.php, namely “host_name” and “site_url”
Thanks for the reply. We have solved CSRF issue, now. The problem is not about load balancer or the CI/CD. CSRF issue was detected because we don’t set the alias name in the web server config (e.g. nginx / apache). So, every time we access the suiteCRM using domain name, it would detect CSRF issue.