Rename default header name to prevent being cut by web-servers #120
Comments
|
Sounds good to me. Would you be interested in sending a PR with fix? |
|
Just highlighting that this is pretty important issue. Apache 2.4 also removes that header (http://httpd.apache.org/docs/trunk/env.html - see "Passing broken headers to CGI scripts" section) |
polishdeveloper
added a commit
to polishdeveloper/CSRF-Protector-PHP
that referenced
this issue
May 14, 2020
Both Nginx and Apache2.4 treat the headers with underscore as invalid. As a solution lets rename the token name to CSRFP-Token that should be valid for cookie,get and headers. Issue: mebjas#120
mebjas
added a commit
that referenced
this issue
May 15, 2020
Fix #120 by renaming the csrfp-token to conform to header rules
|
Thanks for calling this out - @georgique and thanks for the fix @polishdeveloper |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Although RFC doesn't prohibit it, using underscores in header names is not common. And for example Nginx by default considers such headers as invalid unless underscore_in_headers param is set to "on".
I suggest to make default header name "CSRF-Token" so it looks more consistent with standard header names and doesn't cause troubles with web-servers.
The text was updated successfully, but these errors were encountered: