Referrer headers are not a secure countermeasure to CSRF attacks. Your CMS should be *inside* your secure zone and should not require specific CSRF treatment. You could apply IP restrictions at the IIS end, or you could drop out to Kerberos authentication which doesn't rely on cookies and is much harder to spoof.
Richard. -----Original Message----- From: "Pierre Kruppik" <pierre.krup...@gmail.com> Sent: 24/02/2014 22:15 To: "reddot-cms-users@googlegroups.com" <reddot-cms-users@googlegroups.com> Subject: Set referer to execute plugin using user-defined job Hi! Since security-raled changes (CSRF) it is not possible to execute a plugin using a user-defined job (call url). I just added the referer to the header of my plugin, but it doesnt works. <% Response.AddHeader "Referer","http://myhost/cms/"; %> Are there any restrictions in the IIS? Regards, Pierre -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to reddot-cms-users+unsubscr...@googlegroups.com. To post to this group, send email to reddot-cms-users@googlegroups.com. Visit this group at http://groups.google.com/group/reddot-cms-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to reddot-cms-users+unsubscr...@googlegroups.com. To post to this group, send email to reddot-cms-users@googlegroups.com. Visit this group at http://groups.google.com/group/reddot-cms-users. For more options, visit https://groups.google.com/groups/opt_out.
