DOC: Add notice about CSRF on browsers in documentation

proposed by @bernhardreiter
certtools · Apr 27, 2020 · ec6567e · ec6567e · bernhardreiter · Apr 28, 2020
1 parent 87df78c
commit ec6567e
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/NEWS.md b/NEWS.md
@@ -8,6 +8,8 @@ See the changelog for a full list of changes.
 The environment variable name was corrected from `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANGAER_CONTROLLER_CMD` you might need to adapt your configuration.
 The old name will be available until version 3.0.
 
+Use IntelMQ Manager only from a browser that can only access internal, trusted sites. (Because CSRF development is under way, see [#111](github.com/certtools/intelmq/issues/111)).
+
 2.1.0 (2019-10-15)
 ------------------
 The environment variable name was corrected from `INTELMQ_MANGER_CONTROLER_CMD` to `INTELMQ_MANGER_CONTROLLER_CMD` you might need to adapt your configuration.

diff --git a/docs/INSTALL.md b/docs/INSTALL.md
@@ -143,6 +143,8 @@ The way the current version is written, anyone can send a POST request and chang
 
 Therefore you will need authentication and SSL.
 
+Use IntelMQ Manager only from a browser that can only access internal, trusted sites. (Because CSRF development is under way, see [#111](https://github.com/certtools/intelmq-manager/issues/111)).
+
 In addition, intelmq currently stores plaintext passwords in its configuration files. These can be read via intelmq-manager.
 
 **Never ever allow unencrypted, unauthenticated access to intelmq-manager**.