Forum Discussion
boneyard
Jul 13, 2015MVP
not sure i understand you 100%.
you say CSRF protection was enabled, but when it was checked in the browser the code that would make it work was commented out, so not active?
that sounds very weird, are you very sure this was the case? did the person testing this actual try requests, was the token inserted in the URL?
if it really didn't work, was it tried with different browsers? different versions? weren't there any special tools installed on the systems that were tested with that caused this?
also you say you did a PoC, was that done with a F5 partner or F5 SE? have you contacted them about this?