Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Risk of Cross-Site Request Forgery through _method POST parameter #54

Open
randomstuff opened this issue Jun 17, 2018 · 2 comments
Open

Risk of Cross-Site Request Forgery through _method POST parameter #54

randomstuff opened this issue Jun 17, 2018 · 2 comments
Assignees
@16
Labels
Feature

Comments

@randomstuff
Copy link

The _method POST parameter can be used to override the HTTP method. This means that DELETE, PUT routes can be triggered through CSRF. The documentation should warn that when using libmonade these routes should be CSRF-protected as well.

Additionaly it might be useful to be able to disable this feature.
@16 16 self-assigned this Jun 18, 2018
@16 16 added the Feature label Jun 18, 2018
@16
Copy link
Collaborator

16 commented Jun 18, 2018

Thx ! So I plan to

@randomstuff
Copy link
Author

Ideally disabling it by default would be fine as it would follow the Principle of Least Astonishment. It would break existing code however.

Adding a CSRF protection by default would break existing code which consume the API directly (not through the browser) so you might want to opt-in as well if you add some CSRF protection.

This was referenced Oct 12, 2018
Closed
Closed
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@16 16

Labels
Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@randomstuff @16