You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using tapestry-csrf-protection since many months, and I log too much CsrfException which are not login attacks.
When using tapestry-csrf-protection, all the pages are under csrf protection, except page with annotation @NotCsrfProtected.
I will prefer that all the pages are NOT under csrf protection, except page with annotation @CsrfProtected. In my case, only the login page...
Thanks, Thomas
The text was updated successfully, but these errors were encountered:
I think this would be not a good idea since the CSRF protection should be the default for a web framework (I think it should be even default in Tapestry Core).
Why wouldn't you protect all your pages (only login)?
Because I log with redmine all exceptions from 60 tapestry web sites.
They are a huge number of CsrfException from googleBot, bingbot, etc... These are not attack !
So I want to protect only my login page.
Except my login page, there is nothing to protect.
Protect or not all the page seems to me a good idea. It could be a configuration choice.
Hello,
I'm using tapestry-csrf-protection since many months, and I log too much CsrfException which are not login attacks.
When using tapestry-csrf-protection, all the pages are under csrf protection, except page with annotation @NotCsrfProtected.
I will prefer that all the pages are NOT under csrf protection, except page with annotation @CsrfProtected. In my case, only the login page...
Thanks, Thomas
The text was updated successfully, but these errors were encountered: