XSS Prevention

Last Updated: Nov 2, 2020
documentation for the dotCMS Content Management System


As of version 5.2, dotCMS has shipped with a filter that is designed to minimize XSS and CSRF vunerabilities in the administrative console. To do this, dotCMS blocks direct access to all files under the administrative directories, e.g. /html, /dotAdmin … unless dotCMS is sent a valid referer (or Origin) header.

Prior to dotCMS 5.2, a similar protection was enabled using a plugin known as the CSRFFilter plugin, which is no longer needed.

The XSS prevention behavior is enabled globally by default and can be turned off globally by this property:


The paths (regexes) that are protected default to the list found here:

They can be overridden if needed by this comma separate property:


With XSS protection, dotCMS expects a valid referer or Origin header. The Origin Header is checked first and if it is not present, dotCMS will fall back to check the referer header. For a request to be valid, one of the following must be true:

  • The Origin/referer is the same host name as the request url (normally, this is the case).
  • The Origin/referer header has a value equal to a site or alias defined in the site manager (not normal, but maybe).
  • The Origin/referer header has a value equal to the “Portal Url” as defined on the Configuration Screen.
  • The request is for a *.css file (css @import statements do not set a referer).

If none of these conditions are met and you have a case where you need to allow non-refered access to an administrative file or folder you can add uris and paths to ignore to a config property IGNORE_REFERER_FOR_PATHS, as comma separated values. dotCMS will ignore all matching uris or, if it ends with an astrick, then all uris that begin with the value, e.g.

# IGNORE_REFERER_FOR_PATHS=/html/common/css.jsp,/html/my-plugin/*

On this page


We Dig Feedback

Selected excerpt: