Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review CSRF protection #314

Closed
deviantony opened this issue Nov 3, 2016 · 1 comment
Closed

Review CSRF protection #314

deviantony opened this issue Nov 3, 2016 · 1 comment
Labels
area/backend kind/enhancement Applied to Feature Requests security

Comments

@deviantony
Copy link
Member

CSRF protection has been disabled in #310

The current implementation of CSRF cause issues when hosting multiple Portainer instances on the same host (multiple exposed ports for example).

Plus, this implementation does not have any token validity check and token expiration policy.

It also requires the CSRF data generated by the server to be persisted in order to restart/ugprade the portainer instance associated to a specified domain, otherwise users would need to clean out the cookies associated to the domain in order to retrieve a token valid with the new instance.
@deviantony
Copy link
Member Author

Have a look at https://github.com/justinas/nosurf

ArrisLee pushed a commit that referenced this issue Jun 8, 2021
@cmenginnz
fix(uac): EE-173 Access control management via labels not fault toler…
c7bac16 
…ant (#314)
@portainer portainer locked and limited conversation to collaborators Jul 27, 2023
@jamescarppe jamescarppe converted this issue into discussion #9310 Jul 27, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
area/backend kind/enhancement Applied to Feature Requests security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@deviantony