New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF Protection #613

Closed
chrisdpeters opened this Issue Mar 28, 2016 · 13 comments

Comments

3 participants
@chrisdpeters
Contributor

chrisdpeters commented Mar 28, 2016

If all goes well with our CSRF Protection plugin, we may want to implement this for the next major release.

Suggested task list if we decide to go forward with this:

  • Integrate into core
  • Add call to protectFromForgery to default controllers/Controller.cfc file included in framework zip
  • Add call to csrfMetaTags to default views/layout.cfm file included in framework zip
  • Write tests
    • Write tests for including token as X-CSRF-Token HTTP header
  • Write documentation
    • protectFromForgery
    • csrfMetaTags
    • authenticationTokenField
    • Upgrading - add protectFromForgery to controllers/Controller.cfc, add csrfMetaTags to layouts, configure AJAX calls to post with X-CSRF-TOKEN HTTP header
  • Add config settings for storing authenticityToken in session (default) or encrypted cookie
  • Make arguments for protectForForgery configurable via set
  • Update CHANGELOG

@chrisdpeters chrisdpeters self-assigned this Mar 28, 2016

@perdjurner perdjurner modified the milestone: 2.0.0 Mar 30, 2016

@perdjurner perdjurner removed the roadmap label Mar 30, 2016

@chrisdpeters

This comment has been minimized.

Contributor

chrisdpeters commented Apr 19, 2016

Added related isOptions and isHead methods in 8a81e85.

Documentation:

Work on this has begun!

chrisdpeters added a commit that referenced this issue Apr 19, 2016

@chrisdpeters

This comment has been minimized.

Contributor

chrisdpeters commented Apr 19, 2016

Docs for protectFromForgery

chrisdpeters added a commit that referenced this issue Apr 27, 2016

chrisdpeters added a commit that referenced this issue Apr 28, 2016

chrisdpeters added a commit that referenced this issue Jul 21, 2016

chrisdpeters added a commit that referenced this issue Jul 22, 2016

@chrisdpeters

This comment has been minimized.

Contributor

chrisdpeters commented Jul 22, 2016

Docs for csrfMetaTags

@chrisdpeters

This comment has been minimized.

Contributor

chrisdpeters commented Jul 26, 2016

@chrisdpeters

This comment has been minimized.

Contributor

chrisdpeters commented Jul 27, 2016

Start to upgrading instructions. After I get things a little more solidified, I'd like to move the info from the plugin page into the core docs.

@chrisdpeters

This comment has been minimized.

Contributor

chrisdpeters commented Sep 2, 2016

I'm happy to report that I finally have a cookie adapter implemented in v0.1.0 of the plugin. Now I will work to port this to the core, write tests, and finish up the docs.

@chrisdpeters

This comment has been minimized.

Contributor

chrisdpeters commented Sep 2, 2016

(I also want to "battle test" this new cookie adapter in our production apps as well. If there are any problems, we usually learn of them pretty fast.)

@chrisdpeters

This comment has been minimized.

chrisdpeters referenced this issue Sep 8, 2016

@chrisdpeters chrisdpeters referenced this issue Nov 28, 2016

Closed

Integrate ColdRoute plugin into core #609

27 of 28 tasks complete

chrisdpeters added a commit that referenced this issue Dec 1, 2016

chrisdpeters added a commit that referenced this issue Dec 1, 2016

chrisdpeters added a commit that referenced this issue Dec 1, 2016

@chrisdpeters

This comment has been minimized.

Contributor

chrisdpeters commented Dec 1, 2016

This has now landed in master! 🎉

I don't have time to look into the failing tests. The ones I looked into didn't make any sense.

@neokoenig

This comment has been minimized.

Member

neokoenig commented Dec 2, 2016

I managed to kick your tests through - passing!

@chrisdpeters

This comment has been minimized.

Contributor

chrisdpeters commented Dec 2, 2016

I'm sure you've explained before, but remind me what I need to do when I run into a situation like that?

@neokoenig

This comment has been minimized.

Member

neokoenig commented Dec 2, 2016

RDP in, open chrome and click on the "Redeploy" bookmark, then to be sure, click on the CF10 tests bookmark which will run them locally: I usually find it good to run them locally just to check it not throwing any genuine failures: then restart the test from Travis.

@chrisdpeters

This comment has been minimized.

Contributor

chrisdpeters commented Dec 2, 2016

@neokoenig Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment