SA-18009

Summary

The following warning message is observed in the PegaRULES logfile: "URLAccessModeWarn:URLAccessPermitted URLAccessDetail CSRFAttack Missing harness ID".

User requires to know the action that must be taken to eliminate this warning.

Error Messages

"URLAccessModeWarn:URLAccessPermitted URLAccessDetail CSRFAttack Missing harness ID"

Steps to Reproduce

The issue is sporadic in nature.

Root Cause

The root cause of this problem is a backward compatibility defect in Pegasystems’ code or rules. 

A new parameter was added to RedirectAndRun that should be specified in any custom code.

Resolution

The warning message can be eliminated in one or two ways.

Either these warnings can be disabled entirely using a prconfig setting.

(or)

A review of the RedirectAndRun calls in the application can be done, to ensure they all include an "action" parameter with an appropriate value.

See the following Support Article for further information on the second option mentioned:  

https://pdn.pega.com/support-articles/csrfattack-observed-logs

Also to disable these warning messages entirely, one can use the following prconfig.xml file entry:
<env name="security/urlaccessmode" value="allow" />