-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF should be a middleware #2082
Comments
dbsearch + RSS plugin by @barisusakli and my blog comments plugin, just off the top of my head |
Eh, either me or one of us, anyway. |
@xCRNSx, this concerns https://github.com/xCRNSx/nodebb-widget-gameservers. |
I believe you can re-enable issues in forks... though I'm not entirely sure on that. |
closed via a061079 |
The behaviour of the csrf token has changed!Instead of being omni-present on the header, they are added to certain templates that require it. For example, we want to secure the uploading of favicons in the admin panel, which is a POST upload request: |
it's too complicated for me if it's more than one LOC |
Anyway -- we require CSRF for all POST/PUT/DELETE requests, which precludes the possibility of building a write-enabled API that utilises other methods of authentication (e.g. API key or oauth2 access token over HTTPS).
Also, the CSRF system is due for a rewrite anyway.
Notes
The text was updated successfully, but these errors were encountered: