New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF protection does not return proper error message #5012

Closed
dennisoelkers opened this Issue Aug 21, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@dennisoelkers
Member

dennisoelkers commented Aug 21, 2018

In #4987 / #4998 simple protection against CSRF attacks was introduced. This breaks all consumers of the API which do not send the X-Requested-By for non-GET requests. Unfortunately, a consumer of the API which does not conform to this receives a very generic error looking like this:

{
	"type": "AutoValue_ApiError",
	"message": "HTTP 400 Bad Request"
}

which does not include any indication about the source of the problem. This makes it very hard for users of the API to fix the underlying issue.

@dennisoelkers dennisoelkers added this to the 2.5.0 milestone Aug 21, 2018

@jalogisch jalogisch added the triaged label Sep 10, 2018

dennisoelkers added a commit that referenced this issue Oct 5, 2018

Return helpful error message when CSRF protection fails.
Before this change, the server returned a generic "Bad Request" error
message when a client queried the API without the required CSRF
protection header. This leaves the consumer confused, especially for
previous users of the API which now do not know what to change in their
request to make it work again.

This change now leaves the error code intact but adds a helpful message
telling the consumer what went wrong.

Fixes #5012.

edmundoa added a commit that referenced this issue Oct 5, 2018

Return helpful error message when CSRF protection fails. (#5177)
* Return helpful error message when CSRF protection fails.

Before this change, the server returned a generic "Bad Request" error
message when a client queried the API without the required CSRF
protection header. This leaves the consumer confused, especially for
previous users of the API which now do not know what to change in their
request to make it work again.

This change now leaves the error code intact but adds a helpful message
telling the consumer what went wrong.

Fixes #5012.

* Making error message _even more(!)_ helpful.

edmundoa added a commit that referenced this issue Oct 5, 2018

Return helpful error message when CSRF protection fails. (#5177)
* Return helpful error message when CSRF protection fails.

Before this change, the server returned a generic "Bad Request" error
message when a client queried the API without the required CSRF
protection header. This leaves the consumer confused, especially for
previous users of the API which now do not know what to change in their
request to make it work again.

This change now leaves the error code intact but adds a helpful message
telling the consumer what went wrong.

Fixes #5012.

* Making error message _even more(!)_ helpful.

dennisoelkers added a commit that referenced this issue Oct 10, 2018

Return helpful error message when CSRF protection fails. (#5177) (#5182)
* Return helpful error message when CSRF protection fails.

Before this change, the server returned a generic "Bad Request" error
message when a client queried the API without the required CSRF
protection header. This leaves the consumer confused, especially for
previous users of the API which now do not know what to change in their
request to make it work again.

This change now leaves the error code intact but adds a helpful message
telling the consumer what went wrong.

Fixes #5012.

* Making error message _even more(!)_ helpful.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment