Skip to content

v2.2.0 — Opt-in CSRF Protection

Latest
Latest

Choose a tag to compare

View all tags
@vishaltps vishaltps released this 24 Jun 07:02
v2.2.0
8a83f59
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights

Adds opt-in CSRF protection for the dashboard's destructive actions, closing a gap where retry / discard / pause / resume / execute / reject / remove / prune POSTs were unprotected. Disabled by default, so session-less and API-only hosts are fully backward compatible.

Added

  • SolidQueueMonitor.csrf_protection_enabled config option (default false). When enabled, the engine no longer skips verify_authenticity_token: all dashboard forms embed an authenticity_token, csrf_meta_tags are added to the layout, and unverified POST requests to the destructive actions (retry / discard / pause / resume / execute / reject / remove / prune) are rejected. Disabled by default for backward compatibility, since the gem does not assume the host app has a session store. See the new "CSRF Protection" section in the README for requirements.

Full Changelog: v2.1.0...v2.2.0

Assets 2
Loading