CSRF Protection #613
Comments
|
Docs for |
|
Docs for |
|
Docs for |
|
Start to upgrading instructions. After I get things a little more solidified, I'd like to move the info from the plugin page into the core docs. |
|
I'm happy to report that I finally have a cookie adapter implemented in v0.1.0 of the plugin. Now I will work to port this to the core, write tests, and finish up the docs. |
|
(I also want to "battle test" this new cookie adapter in our production apps as well. If there are any problems, we usually learn of them pretty fast.) |
|
Docs for new settings: |
|
This has now landed in master! 🎉 I don't have time to look into the failing tests. The ones I looked into didn't make any sense. |
|
I managed to kick your tests through - passing! |
|
I'm sure you've explained before, but remind me what I need to do when I run into a situation like that? |
|
RDP in, open chrome and click on the "Redeploy" bookmark, then to be sure, click on the CF10 tests bookmark which will run them locally: I usually find it good to run them locally just to check it not throwing any genuine failures: then restart the test from Travis. |
|
@neokoenig Thanks! |
If all goes well with our CSRF Protection plugin, we may want to implement this for the next major release.
Suggested task list if we decide to go forward with this:
protectFromForgeryto defaultcontrollers/Controller.cfcfile included in framework zipcsrfMetaTagsto defaultviews/layout.cfmfile included in framework zipX-CSRF-TokenHTTP headerprotectFromForgerycsrfMetaTagsauthenticationTokenFieldprotectFromForgeryto controllers/Controller.cfc, addcsrfMetaTagsto layouts, configure AJAX calls to post withX-CSRF-TOKENHTTP headerauthenticityTokenin session (default) or encrypted cookiecsrf*settings in Configuration and Defaults chapterprotectForForgeryconfigurable viasetThe text was updated successfully, but these errors were encountered: