Request for URL /wp/render/.../WebViewRead.ashx is denied because the request does not contain the required CSRF token

Request for URL /wp/render/.../WebViewRead.ashx is denied because the request does not contain the required CSRF token

When end user requests to TIBCO Spotfire Server are routed through an F5 load balancer, the following message may be seen in the server.log:
 

"Request for URL /wp/render/..../WebViewRead.ashx is denied because the request does not contain the required CSRF token"

This is because F5's Application Security Manager (ASM) is usually configured for CSRF protection which interferes with Spotfire's CSRF protection (F5 ASM will assign another CSRF token to the request, resulting in access denied errors on the Spotfire side). It is recommended to enable CSRF on the TIBCO Spotfire Server. However if it is a requirement that CSRF protection has to be enabled on the load balancer, then it can be disabled in Spotfire like described below. Follow the steps below to disable CSRF protection (Press return / Enter after every command):

1. Launch command prompt on the TIBCO Spotfire Server to export the Spotfire configuration using the following command:  

   config export-config

2. Run the following command to disable CSRF protection:  

   config config-csrf-protection --enabled=false

3. Run the following command to import the configuration to Spotfire database:

   config import-config -c "Disabled CSRF protection"

4. Restart the Spotfire Server Service.

External: Protecting against CSRF

• https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/27.html#unique_2079379720