-- The major version jump comes down to one thing:
- The previous version (v0.1.5.2) did not match the overall state of the AbstractRequestHandler. As it was already pretty polished and ready for production, the new version 1.0.0.0 better describes the project as "ready to use", feature-rich, and stable.
Fix(Security): Overhaul CSRF validation lifecycle and secure POST actions
Fixed:
- Fixed CSRF token generation timing. New tokens are now exclusively generated during the response phase (
generateResponse,generateResponseWithAttr,generateJsonResponse) rather than immediately upon request arrival. This fixes the bug where valid POST requests were rejected, while maintaining robust protection against F5 double-submits. - Centralized the CSRF error validation check at the top of
handlePost(). This automatically secures all built-in actions (submit,delete) and custom handler logic (handleExtraConfigs) out-of-the-box. - Improved error handling by automatically appending the
csrfErrorrequest attribute to the handler's error messages before rendering the default response.