Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Turn CSRF protection on by default #4123

Merged
merged 1 commit into from
Jun 19, 2024
Merged

Turn CSRF protection on by default #4123

merged 1 commit into from
Jun 19, 2024

Conversation

hannako
Copy link
Contributor

@hannako hannako commented Jun 19, 2024
edited
Loading

The rails default CSRF protection was disabled in #1317

The POST routes in this application are postcode lookups to an external API. So we don't currently need CSRF protection, but this is being flagged by the scanner as a vulnerability. Let's turn it back on across the application, and just disable it on four specific routes. This means if the application changes in the future we aren't caught out (assuming we're covered by default CSRF protection).

https://trello.com/c/HQaHFTdc/2580-review-and-potentially-fix-code-scanning-alerts-for-our-repos-m

@govuk-ci govuk-ci temporarily deployed to govuk-frontend-app-pr-4123 June 19, 2024 09:51 Inactive
@hannako
Turn CSRF protection on by default
0487a1f 
The rails default CSRF protection was disabled in #4123

The POST routes in this application are postcode lookups to an external API.
So we don't currently need CSRF protection, but this is being flagged by the scanner
as a vulnerability. Let's turn it back on across the application, and just disable it
on four specific routes. This means if the application changes in the future we aren't caught
out (assuming we're covered by default CSRF protection).
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 19, 2024
View reviewed changes
app/controllers/find_local_council_controller.rb Dismissed Show dismissed Hide dismissed
app/controllers/licence_transaction_controller.rb Dismissed Show dismissed Hide dismissed
app/controllers/local_transaction_controller.rb Dismissed Show dismissed Hide dismissed
app/controllers/place_controller.rb Dismissed Show dismissed Hide dismissed
@govuk-ci govuk-ci temporarily deployed to govuk-frontend-app-pr-4123 June 19, 2024 09:53 Inactive
@hannako hannako marked this pull request as ready for review June 19, 2024 10:19
KludgeKML
KludgeKML approved these changes Jun 19, 2024
View reviewed changes
Copy link
Contributor

@KludgeKML KludgeKML left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@hannako hannako merged commit ae9a20d into main Jun 19, 2024
12 checks passed
@hannako hannako deleted the csrf_protection branch June 19, 2024 10:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KludgeKML KludgeKML KludgeKML approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hannako @KludgeKML @govuk-ci