Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

We have implemented URL protection on several critical API endpoints. This update introduces a whitelisting requirement for URLs, enhancing the security and integrity of our API interactions. Operators must now explicitly whitelist the URLs to which these endpoints can respond.

Purpose of the Update:

This update is part of our ongoing commitment to security and data protection. By requiring the whitelisting of URLs, we prevent unauthorized redirection and potential phishing attacks. This ensures that only trusted and verified URLs are used in conjunction with our API endpoints.

Affected Endpoints with example path:

  • /account/logout?redirectUrl=
  • /api/1/sso/saml/logout?redirectUrl=
  • /api/1/samp/generateEmail?shipmentId=0&tracker=0&hashIdentifier=0&staticEmail=
  • /account/social-login/link?returnPath=
  • /api/1/redirect/account/social-login/link?returnPath=
  • /redirect/login?returnPath=
  • /api/1/redirect/login?returnPath=
  • /api/1/redirect/account/register?returnPath=

Actions required

For all existing ticket shops on point of sales:

Step 1: Whitelist the domains and URLs used in the mentioned endpoints and list them in the input box on Gravity tab.

Path; Organizations context > Sales channel > Point of sales > Characteristics > Gravity tab (see image below)

Step 2: Change the label value "config.account.activateValidationRedirectURL" from 'false' to 'true' to put the default limitation into affect  


Deadline for activation: For current clients impacted by these changes, a deadline has been established to implement the necessary updates. Beyond this date, the value label will automatically be switched to 'true', resulting in the activation of the default settings. The due date is set for: MISSING decision

For all clients setting up a new ticket shop on the POS:

Step 1: Whitelist the domains and URLs used in the mentioned endpoints and list them in the input box on Gravity tab (see image below).

*No additional actions are required, the feature restriction to limit the traffic is enabled by default.


The whitelisted domains / URLs need to be defined in the section highlighted below under "Domain restrictions"


What happens if you fail to apply the action:

The URL specified in your code (e.g for redirection) will no longer lead to the intended destination. Instead, users will be redirected to the Institution's website URL, if it's been defined in the POS param, or to the default ticket shop's landing page URL (given that at least one product is listed) at (.../content).

  • No labels