My Oracle Support Banner

CSRF-Protection Check Failure When Calling OAG Application Registry Behind A Proxy (Doc ID 2272436.1)

Last updated on OCTOBER 07, 2022

Applies to:

Oracle API Gateway - Version and later
Information in this document applies to any platform.


While using the Application Registry to manage OAuth Credentials with OAG, the registry is expected to be placed behind a reverse proxy for additional protection.

This fails because the application does not trust the new URL, throwing the following error in the OAG trace:

  "CSRF-protection check for referer https://... failed"

Using a reverse proxy doesn't work because the registry also depends on browser-side logic which uses port 8089 by default.

Is it possible to configure a policy to allow the application to accept other host/port combinations or, alternately, change the host/port used by the browser-side logic to connect to the website?


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.