[RSS Feed/News] Add an option to disable CSRF checks for modern browsers

Status
Not open for further replies.

XenForo

Administrative
  • Thread starter
  • Admin
  • #1
XenForo uses a double submit cookie approach to prevent CSRF attacks which does work quite well (except for cases where it breaks).

As CSRF tokens are included in the HTML this does complicate things in some cases, for example when caching HTML for guests.

It would be nice if the requirement for those tokens could optionally be disabled for modern browsers supporting Sec-Fetch-Site:
web.dev

Protect your resources from web attacks with Fetch Metadata

Fetch Metadata is a new web platform feature designed to allow servers to protect themselves from cross-origin attacks.
web.dev
web.dev

This would allow to cache HTML on edge nodes more easily...

Read more

ادامه مطلب...
 
Status
Not open for further replies.
Back
Top Bottom