Am 28.05.15 um 10:11 schrieb Daniel Sungjin Jung: > Hi , > > Checking “Allow Empty” checkbox in Apache Sling Referrer Filter is not > recommended in production service. > I’d like to know what specific security risks we face if we turn it on for > production service. > If you do no referrer check, you're e.g. vulnerable by CSRF attacks (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_The_Referer_Header). Unless you have another CSRF protection in place of course.
Regards Carsten -- Carsten Ziegeler Adobe Research Switzerland [email protected]
