• Created by Unknown User (mkc), last modified on Jan 17, 2024

We have implemented URL protection on several critical API endpoints. This update introduces a whitelisting requirement for URLs, enhancing the security and integrity of our API interactions. Operators must now explicitly whitelist the URLs to which these endpoints can respond.

Purpose of the Update:

This update is part of our ongoing commitment to security and data protection. By requiring the whitelisting of URLs, we prevent unauthorized redirection and potential phishing attacks. This ensures that only trusted and verified URLs are used in conjunction with our API endpoints.

Affected Endpoints with example path:

  • /account/logout?redirectUrl=
  • /api/1/sso/saml/logout?redirectUrl=
  • /api/1/samp/generateEmail?shipmentId=0&tracker=0&hashIdentifier=0&staticEmail=
  • /account/social-login/link?returnPath=
  • /api/1/redirect/account/social-login/link?returnPath=
  • /redirect/login?returnPath=
  • /api/1/redirect/login?returnPath=
  • /api/1/redirect/account/register?returnPath=

Actions required

For all existing ticket shops on point of sales:

Step 1: Whitelist the domains and URLs used in the mentioned endpoints and list them in the input box on Gravity tab.

Path; Organizations context > Sales channel > Point of sales > Characteristics > Gravity tab (see 1st image below)

Step 2: Change the label value "config.account.activateValidationRedirectURL" from 'false' to 'true' to put the default limitation into affect  (see 2nd image below).


Deadline for activation: For current clients impacted by these changes, a deadline has been established to implement the necessary updates. Beyond this date, the value label will be switched to 'true', resulting in the activation of the default settings. The due date is set for: 30 April 2024. 

For all clients setting up a new ticket shop on the POS:

Step 1: Whitelist the domains and URLs used in the mentioned endpoints and list them in the input box on Gravity tab (see image below).

*No additional actions are required, the feature restriction to limit the traffic is enabled by default.


The whitelisted domains / URLs need to be defined in the section highlighted above under "Domain restrictions"


What happens if you fail to apply the action:

The URL specified in your code (e.g for redirection) will no longer lead to the intended destination. Instead, users will be redirected to the Institution's website URL, if it's been defined in the POS param, or to the default ticket shop's landing page URL (given that at least one product is listed) at (.../content).


How to change the label value:

  • No labels

© SecuTix 2023 - Login