Version Affected: All
Password Reset functionality breaks when a Referrer-Policy header is added to IIS response headers.
Note:- Password reset module works fine when customer create a realm locally, the problem comes when he wants to reset password remotely (Through realm setup in DMZ)
He keeps getting this error:-
The Referrer-Policy header, when it's added to IIS response headers as No referrer will break the password reset functionality.
If you still wish to set a Referrer-Policy, same-origin is closest to no-referrer because when our site is talking to itself on https, it'll keep the correct referrer. the rest of the time, it'll have no-referrer.
Else wise you can choose any of these as a best setting for Referrer policy header, though it would completely dependent your environment and security surface they want to maintain.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Please sign in to leave a comment.