Portainer.io
Review CSRF protection #9310
deviantony
started this conversation in
Ideas
Review CSRF protection
#9310
Replies: 1 comment
-
|
Have a look at https://github.com/justinas/nosurf |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
CSRF protection has been disabled in #310
The current implementation of CSRF cause issues when hosting multiple Portainer instances on the same host (multiple exposed ports for example).
Plus, this implementation does not have any token validity check and token expiration policy.
It also requires the CSRF data generated by the server to be persisted in order to restart/ugprade the portainer instance associated to a specified domain, otherwise users would need to clean out the cookies associated to the domain in order to retrieve a token valid with the new instance.
Beta Was this translation helpful? Give feedback.
All reactions