origin check

origin check=no|none|loose|strict

Parameters:

origin check
This option can be set to one of the following options:
no or none
No origin check is performed on requests.
loose
A request is permitted if the source or target origin match, or either origin is missing or opaque (the origin string is "null"). This will block browser-based Cross-Site Request Forgery (CSRF) attacks, including Javascript ones.
strict
Requests with missing or opaque source or target origin are also blocked.

Properties:

Default:
loose
Values:
no, none, loose, strict

Comments:

The origin check on HTTP requests is a recommended practice for defense against Cross-Site Request Forgery (CSRF). In practice, it is difficult to mount a CSRF attack against an RFA listener because RFA is not normally used from a browser, and browsers are usually required for CSRF. However, RFA includes the origin check as a defense-in-depth measure. Usually customers will not need to change this setting. It can be set to strict for additional protection if its clients are rigorous about setting origin properly, typically with the HTTP Origin and Host headers, or to none if non-compliant clients cause problems with requests being rejected by the origin check.

Parent topic: Remote File Access conversation type