Fix the zap baseline scan #2873
Comments
|
Here is the pr that fixed it the last time it was fixed: |
|
@psiinon When the zap baseline scan fails on testpilot stage, where can we look to find out why it is failing? Also, how do we know when it is safe to add data-no-csrf to a form? |
ghost
added this to the
|
Sorry for the delayed response @fzzzy :/ You should only add data-no-csrf to a form if that form doesnt do anything that could be abused. |
|
@psiinon Thanks for the response! No, I can't see the foxsec-results repo. That's great that it's actually passing! Hope you can figure out where the scan in the pipeline is configured. Thanks! |
IIRC, the form in question doesn't actually submit itself anywhere. It's just UI to JS code that sends a request to an external API for mailing list subscription. No auth or cookies or CSRF tokens involved there, either. And the user has to confirm the subscription out-of-band |
|
This has been resolved among various other bugs. I'm working with @psiinon on a script he is testing to notify us about any changes. In the mean time I get the summary emails. I don't think there is a reason to leave this issue open. |
Whenever we push to stage, we get a notification that the zap baseline scan failed. We don't know the details, but relud says it has something to do with CSRF tokens. We should learn why it is failing, how to fix it, and avoid breaking it again.
The text was updated successfully, but these errors were encountered: