Let the platform do the work
SugarClubContact+1 (877) 842-7276

Troubleshooting Cross-Site Forgery Messages

Overview

While attempting to access a Sugar® page, you see the following error message: "Possible Cross Site Request Forgery (XSRF) Attack Detected".

Origin

The "Possible Cross-Site Request Forgery (XSRF) Attack Detected" message is generated when Sugar recognizes that the instance is not executed on an allowed host or if an illegal action is called. The warning message is usually generated for the following reasons:

  • A backup of a SugarCloud instance is installed locally for testing.
  • To protect users from malicious code or manipulated instances.
  • For actions that are not registered in Sugar:

    http://your_sugar_instance/index.php?module=Configurator&action=bad_action

    • If the action is not registered, Sugar will warn the user about the possibility of manipulated actions.

Resolution

SugarCloud Instances

SugarCloud customers can file a case with the Sugar Support team for assistance with troubleshooting the cross-site forgery error message.

On-Site Instances

On-site clients should click the link ("Click here for directions to add this site to the acceptable referrer list") in the cross-site forgery error message to view the suggested fix and implement it. The following steps will go over how to add the specific site to the acceptable referrer list:

  1. Go to the root of your Sugar instance on your file system.
  2. Open the config_override.php file.
    • If the file does not exist, create it (Should be at the same level as index.php and config.php).
  3. Make sure the file begins with <?php followed by a new line.
  4. Add the following line of code to your config_override.php file: 
    $sugar_config['http_referer']['list'][] = 'localhost';
    • Replace localhost with the site URL (e.g. www.google.com).
  5. Save the file and reload the page in Sugar.

Add Additional Actions

To add the unregistered action as an allowed action (e.g. custom module), add the following line of code to the config_override.php file:

<?php 
$sugar_config['http_referer']['actions'] =array( 'index', 'ListView', 'DetailView', 'EditView', 'oauth', 'authorize', 'Authenticate', 'Login', 'SupportPortal', 'bad_action' );