Password Reset functionality breaks when Referrer-Policy header is added to IIS response headers

Follow
    Applies to:
Deployment model:
  • Cloud
  • Hybrid
  • On Premises
  • Version Affected:  All

    Description:  

    Password Reset functionality breaks when a Referrer-Policy header is added to IIS response headers.

    Note:- Password reset module works fine when customer create a realm locally, the problem comes when he wants to reset password remotely (Through realm setup in DMZ)

    He keeps getting this error:-

    mceclip0.png

     

    Cause:  

    The Referrer-Policy header, when it's added to IIS response headers as No referrer will break the password reset functionality.

    Resolution:  

    If you still wish to set a Referrer-Policy,   same-origin is closest to no-referrer because when our site is talking to itself on https, it'll keep the correct referrer. the rest of the time, it'll have no-referrer.

    Else wise you can choose any of these as a best setting for Referrer policy header, though it would completely dependent your environment and security surface they want to maintain.

    mceclip2.png

    mceclip3.png

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.