Bug ID 716324: CSRF protection fails when the total size of the configured URL list is more than 2 KB

Last Modified: Jul 21, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 14.0.0,,,,,, 14.0.1,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,

Fixed In:

Opened: Apr 22, 2018
Severity: 3-Major


When the cross-site request forgery (CSRF) protection URL list is of a total size that is greater than 2 KB. As a result, CSRF injection fails.


CSRF false-positive violation.


- CSRF protection is enabled. - The total length of the defined CSRF URL list is more than 2 KB. - A protected URL is accessed.


Use wildcards to minimize total CSRF URL size.

Fix Information

Increased the default maximum total CSRF URL list size to 5 KB and added the internal parameter csrf_dyn_params_buffer_size in case further adjustment is needed.

Behavior Change