When end user requests to Spotfire Server are routed through an F5 load balancer, the following message may be seen in the server.log:
 

"Request for URL /wp/render/..../WebViewRead.ashx is denied because the request does not contain the required CSRF token"

This is because F5's Application Security Manager (ASM) is usually configured for CSRF protection which interferes with Spotfire's CSRF protection (F5 ASM will assign another CSRF token to the request, resulting in access denied errors on the Spotfire side). It is recommended to enable CSRF on the Spotfire Server. However if, and only if, it is a requirement that CSRF protection has to be enabled on the load balancer, then it can be disabled in Spotfire like described below.

Important: Disabling CSRF protection in Spotfire is NOT recommended for security reasons. If there are CSRF errors seen for other reasons beyond those stated in this article, it is recommended to investigate and resolve that instead of disabling CSRF protection. This article is explicitly stating how the F5 load balancer CSRF protection can be used in place of Spotfire's, which means CSRF protection will still be active.

CSRF token missing message in the logs when the requests are routed via an F5 load balancer.

All

Follow the steps below to disable CSRF protection (Press return / Enter after every command):

1. Launch command prompt on the TIBCO Spotfire Server to export the Spotfire configuration using the following command:  

   config export-config

2. Run the following command to disable CSRF protection:  

   config config-csrf-protection --enabled=false

3. Run the following command to import the configuration to Spotfire database:

   config import-config -c "Disabled CSRF protection"

4. Restart all the Spotfire Server Services.

External: Protecting against CSRF

• https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/27.html#unique_2079379720