Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

This topic is only relevant if you're relying on HTTP request headers to pass attribute information from the SP to your applications. The default is to rely on Server Variables that are internal to the web server and are not subject to client influence.

Table of Contents


The SP includes a feature called "spoof checking". The purpose of this feature is to actively scan/police the HTTP headers in each client request and attempt to detect if any of them map to a header variable under the SP's "control". The SP maintains a list of all the possible header names that it might be expected to create in response to a user session, including all of the mappings based on attributes. If the client attempts to supply its own value for one of these headers, this feature tries to detect that and block the request with an error message (and log the attempt).