Remove CSRF protection #141
Comments
|
I don't know enough about CSRF to comment on whether that makes sense, but if that's the case, then yeah I definitely reckon it should go. It caused me a lot of hassles working out that I needed to set the secret key, and it's something I've seen coming up a fair bit as an issue for people on the community forums. Would save a bit of headache potentially. |
chriddyp
added a commit
that referenced
this issue
Oct 17, 2017
Merged
chriddyp
added a commit
that referenced
this issue
Oct 17, 2017
chriddyp
added a commit
that referenced
this issue
Oct 17, 2017
byronz
pushed a commit
that referenced
this issue
Apr 23, 2019
* revert dcc regression branch * Update CHANGELOG.md
HammadTheOne
pushed a commit
to HammadTheOne/dash
that referenced
this issue
May 28, 2021
💄 the CircleCI config file.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Besides the
GETofindex.html, Dash only supports POST requests withapplication/json. These are actually unsusceptible to CSRF attacks according to https://security.stackexchange.com/questions/23371/csrf-protection-with-custom-headers-and-without-validating-token/58308#58308. Based off of this, I believe that we should be able to remove CSRF protection and therefore will not require users to create aapp.server.config.SECRET_KEY.The text was updated successfully, but these errors were encountered: