Product: TIBCO Spotfire®
Request for URL /wp/render/.../WebViewRead.ashx is denied because the request does not contain the required CSRF token
When end user requests to TIBCO Spotfire Server are routed through an F5 load balancer, the following message may be seen in the server.log:
"Request for URL /wp/render/..../WebViewRead.ashx is denied because the request does not contain the required CSRF token"
This is because F5's Application Security Manager (ASM) is usually configured for CSRF protection which interferes with Spotfire's CSRF protection (F5 ASM will assign another CSRF token to the request, resulting in access denied errors on the Spotfire side). It is recommended to enable CSRF on the TIBCO Spotfire Server. However if it is a requirement that CSRF protection has to be enabled on the load balancer, then it can be disabled in Spotfire like described below. Follow the steps below to disable CSRF protection (Press return / Enter after every command):
- Launch command prompt on the TIBCO Spotfire Server to export the Spotfire configuration using the following command:
- Run the following command to disable CSRF protection:
config config-csrf-protection --enabled=false
- Run the following command to import the configuration to Spotfire database:
config import-config -c "Disabled CSRF protection"
- Restart the Spotfire Server Service.