-
Notifications
You must be signed in to change notification settings - Fork 584
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[dev.icinga.com #10548] Implement CSRF protection for the API #3357
Comments
Updated by tgelf on 2015-11-05 14:00:53 +00:00
|
Updated by mfriedrich on 2015-11-05 14:20:04 +00:00
Applied in changeset 7e5f554. |
Updated by mfriedrich on 2015-11-05 14:20:29 +00:00
Please test the fix. |
Updated by gbeutner on 2015-11-06 16:22:57 +00:00
|
Updated by gbeutner on 2015-11-06 17:04:21 +00:00
|
Updated by mfriedrich on 2015-11-11 14:33:43 +00:00
|
Updated by tgelf on 2015-11-11 14:56:35 +00:00 Just for the records, lack of CSRF protection is a bug nowadays, it's implementation is IMHO not a feature ;) |
Updated by mfriedrich on 2015-11-12 15:34:51 +00:00
|
This issue has been migrated from Redmine: https://dev.icinga.com/issues/10548
Created by tgelf on 2015-11-05 13:59:55 +00:00
Assignee: mfriedrich
Status: Resolved (closed on 2015-11-06 17:04:21 +00:00)
Target Version: 2.4.0
Last Update: 2015-11-12 15:34:51 +00:00 (in Redmine)
The issue
Our REST-API is usable through a generic browser. Who does so is usually a potential target for CSRF attacks, even if he "just played around". We do not have to care about JavaScript, there we are forced to trust in SOP. We also cannot protect XSS victims. But we absolutely need to protect users from opening themselves to CSRF attacks.
Proposed solution
CSRF tokens make no sense for API clients (and require additional roundtrips). The easiest solution to mitigate this problem is to make an HTTP header not used by web browsers for legacy forms as a hard requirement, at least for all non-GET requests. I'd opt for:
Special cases
Cheers,
Thomas
Changesets
2015-11-05 14:18:53 +00:00 by mfriedrich 7e5f554
The text was updated successfully, but these errors were encountered: