The glide.security.csrf.strict.validation.mode system property prevents users from being able to accept a warning, which allows a potentially malicious request to be sent to the instance. This warning appears when a POST request fails due to having a mismatched anti-CSRF token belonging to one of the victim's other active sessions. If glide.security.csrf.strict.validation.mode isn't set to the recommended value of true, then an attacker can formulate a CSRF attack utilizing a leaked anti-CSRF token from a different active session belonging to the victim.

A POST request to an instance contains an anti-CSRF token within "sysparm_ck" or "X-UserToken" which matches the user's current session. If the anti-CSRF token is instead tied to one of the user's other active sessions, the POST request will return a 302 redirection to security_interceptor.do with a Continue button available to the user when this property is set to false.

Clicking this button will re-submit the request to the instance, except it will now having a valid anti-CSRF token. When this property is set to true, the 302 redirection to the security_interceptor.do page will not display a Continue button and the user isn't allowed to resubmit the request.

Ensure that the property glide.security.csrf.strict.validation.mode is set to true.

More information