Hi, I've been trying to use CsrfPreventionRequestCycleListener in production. However we are seeing in the logs that about 30 times a day we get the request aborted because the clients browsers are not sending the referrer header sometimes. Doing some research it seems we cannot rely on the clients browser to send the referrer and it could be somewhat buggy in older browsers.
Does anyone else experience this trouble? Are there any alternatives? I did try: getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory()); setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound(), this)); However this encrypts everything (resources, urls, etc). Is there a way of just encrypting say forms and links or something? Anyone got a solution that works for them in production? many thanks