Preventing CSRF and Host Header Attacks
localhost. This prevents a type of attack known as a
Host Header Attack and
Cross Site Origin Request Attack.
- Use a text editor to open the file at
\xpressmp\insight\server\wildfly-x.y.z.Final\standalone\configuration\standalone.xml. - Within
standalone.xml, find the section that contains the following text:<system-properties> - Locate the following property which by default will have an empty value:
<property name="com.fico.xpress.insight.ServerUrl" value=""/> - Edit this property's value to be the URL that users must use to access the service, in this case,
https://insight.example.com:8443.<property name="com.fico.xpress.insight.ServerUrl" value="https://insight.example.com:8443"/> - Save your changes to
standalone.xml. - Restart the Xpress Insight service.
Result
These configuration settings allow Xpress Insight to be served as expected onhttps://insight.example.com:8443/, but will respond with
503 Service Unavailable if a user attempts to access Insight on any other URL, such as
https://localhost:8443/. The server will also respond with
403 Forbidden if a resource is requested with a referer header that differs from the configured URL.
© 2001-2023 Fair Isaac Corporation. All rights reserved. This documentation is the property of Fair Isaac Corporation (“FICO”). Receipt or possession of this documentation does not convey rights to disclose, reproduce, make derivative works, use, or allow others to use it except solely for internal evaluation purposes to determine whether to purchase a license to the software described in this documentation, or as otherwise set forth in a written software license agreement between you and FICO (or a FICO affiliate). Use of this documentation and the software described in it must conform strictly to the foregoing permitted uses, and no other use is permitted.