Installation help please - Possible Cross Site Request Forgery (XSRF) Attack Detected

Hi

I am new to SuiteCRM and have been trying now for days to get this figured out. I have a number of issues that I have tried following the docs on, but still have issues getting things working properly.

For now, would like to focus on the error just about anytime I try and access any settings in the Administration, and at times have had the same issue with some users.

I keep getting Possible Cross Site Request Forgery (XSRF) Attack Detected. It says to add a setting that is essentially the URL to the config override which I have done, but that doesn’t solve it. I am now being forced to add individual entries for every single setting in Administration. This is taking hours to achieve what should be simple. And to make matters worse some of the errors don’t open in a full page so you cannot read what the value is that it feels needs to be added.
Is there a Global list available somewhere that I can simply add and be done with it, or is there some other settings I should look at.

Running 7.11.18 on Debian 10 (tried 9 as well) with NGINX.

Any help would be appreciated thanks I probably have in excess of 36 hours consumed and I still haven’t been able to take it to a point where i feel it is working well enough to actually add a user… and for now will try and figure out why elasticsearch schedule won’t run.

You shouldn’t be seeing that error at all. Don’t torture yourself working around it, try to figure out why it’s appearing and solve it.

Any Suggestions ? I have reviewed multiple install guides for settings. I originally installed as a subdirectory of my www site, and have now moved it to the root domain instead so that it is direct without a virtual directory… The URL in the browser matches. DNS settings point to that system. Is there something in particular that it would be looking at that would cause it to keep reporting that error.

Thanks

What do you have in config.php, entries site_url and host_name?

What exactly is the XSRF error you’re getting?

I have tried some different variations of the URL, but I have found that when you remove the 443 then some password reset links seem to go missing and I found a help article that suggested that 443 had to be there even though https was defined.

This is what’s in the config.php file. I have replaced the actual domain name.

config.php settings

'host_name' => 'mydomain.cloud',

'site_url' => 'https://mydomain.cloud:443'

And this is the error

Possible Cross Site Request Forgery (XSRF) Attack Detected
If you think this is a mistake please ask your administrator to add the following site to the acceptable referer list
mydomain.cloud
Click here for directions to add this site to the acceptable referer list
Directions:

On your file system go to the root of your SugarCRM instance
Open the file config_override.php. If it does not exist, create it. (it should be at the same level as index.php and config.php)
Make sure the file starts with

<?php

followed by a new line
Add the following line to your config_override.php file

$sugar_config['http_referer']['list'][] = 'mydomain.cloud';

Save the file and it should work 

It then goes on to suggest some possible additional entries that could be added… which I have not included.

Thanks

I don’t usually put the 443 in that value. Does the XSRF warning go away if you remove it?

This is the relevant part of the code where it tests for the warning, in case it helps:

No difference.

removed the :443 rebuilt the config… tested… same

added two additional entries to config_override to see if that helps but no luck either.
i.e. I added http://mydomain.cloud:443 and https://mydomain.cloud

I suspect will probably need a fresh start…

I seem to have been able to get it installed and no longer getting the error.

Cannot say exactly what solved it.
I found some settings in my nginx.conf file which may have been causing it, but on my last attempt I also set the directories to 777 for the install. I will correct those now that it is installed.

Now onto trying to get elasticsearch installed…

Thanks for the guidance.

1 Like