New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF Protection #613
Comments
Docs for |
Docs for |
Docs for |
Start to upgrading instructions. After I get things a little more solidified, I'd like to move the info from the plugin page into the core docs. |
I'm happy to report that I finally have a cookie adapter implemented in v0.1.0 of the plugin. Now I will work to port this to the core, write tests, and finish up the docs. |
(I also want to "battle test" this new cookie adapter in our production apps as well. If there are any problems, we usually learn of them pretty fast.) |
Docs for new settings: |
This has now landed in master! 🎉 I don't have time to look into the failing tests. The ones I looked into didn't make any sense. |
I managed to kick your tests through - passing! |
I'm sure you've explained before, but remind me what I need to do when I run into a situation like that? |
RDP in, open chrome and click on the "Redeploy" bookmark, then to be sure, click on the CF10 tests bookmark which will run them locally: I usually find it good to run them locally just to check it not throwing any genuine failures: then restart the test from Travis. |
@neokoenig Thanks! |
If all goes well with our CSRF Protection plugin, we may want to implement this for the next major release.
Suggested task list if we decide to go forward with this:
protectFromForgery
to defaultcontrollers/Controller.cfc
file included in framework zipcsrfMetaTags
to defaultviews/layout.cfm
file included in framework zipX-CSRF-Token
HTTP headerprotectFromForgery
csrfMetaTags
authenticationTokenField
protectFromForgery
to controllers/Controller.cfc, addcsrfMetaTags
to layouts, configure AJAX calls to post withX-CSRF-TOKEN
HTTP headerauthenticityToken
in session (default) or encrypted cookiecsrf*
settings in Configuration and Defaults chapterprotectForForgery
configurable viaset
The text was updated successfully, but these errors were encountered: