You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Although RFC doesn't prohibit it, using underscores in header names is not common. And for example Nginx by default considers such headers as invalid unless underscore_in_headers param is set to "on".
I suggest to make default header name "CSRF-Token" so it looks more consistent with standard header names and doesn't cause troubles with web-servers.
The text was updated successfully, but these errors were encountered:
Just highlighting that this is pretty important issue. Apache 2.4 also removes that header (http://httpd.apache.org/docs/trunk/env.html - see "Passing broken headers to CGI scripts" section)
polishdeveloper
added a commit
to polishdeveloper/CSRF-Protector-PHP
that referenced
this issue
May 14, 2020
Both Nginx and Apache2.4 treat the headers with underscore as invalid.
As a solution lets rename the token name to CSRFP-Token that should be
valid for cookie,get and headers.
Issue: mebjas#120
Although RFC doesn't prohibit it, using underscores in header names is not common. And for example Nginx by default considers such headers as invalid unless underscore_in_headers param is set to "on".
I suggest to make default header name "CSRF-Token" so it looks more consistent with standard header names and doesn't cause troubles with web-servers.
The text was updated successfully, but these errors were encountered: