Enable Anti-CSRF Token for Userperf

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use a system property to ensure CSRF (Cross-Site Request Forgery) protection is enforced when setting user preferences.

    Use the glide.security.userpref_csrf_check.enable system property to enforce CSRF (Cross-Site Request Forgery) protection when setting user preferences to the User Preference Definitions [sys_user_preference_definition] table via URI parameters. If the property isn't set to the recommended value of true, then the CSRF token required flag is overridden when set on individual preferences, and preferences can be set via URI parameters without requiring a CSRF token.

    Ensure the glide.security.userpref_csrf_check.enable system property is set to true.

    More information

    Attribute Description
    Configuration name glide.security.userpref_csrf_check.enable
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value true
    Fallback value false
    Category Architecture, design, and threat modeling
    Security risk
    • Severity score: 4.3
    • CVSS score: Medium
    • Security risk details: Failure to implement CSRF protection exposes the instance to unauthorized actions performed on behalf of authenticated users.
    Functional Impact Users or integrations that previously set certain preferences via URL parameters without a CSRF token may now fail if those preferences require a token.
    Dependencies and prerequisites None
    References