labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

Additional CSRF deactivation checks

Open jamgregory opened this issue 3 years ago • 0 comments

This MR adds additional CSRF deactivation checks as detailed in presidentbeef/brakeman#1545:

  • [x] config.action_controller.allow_forgery_protection = false
  • [ ] skip_before_action :verify_authenticity_token
  • [ ] protect_from_forgery except: :index
  • [ ] protect_from_forgery only: :show
  • [ ] protect_from_forgery if: -> { ... }
  • [ ] protect_from_forgery unless: -> { ... }

(this also includes the work in presidentbeef/brakeman#1719 as that's required for the new checks to function correctly)

jamgregory avatar Jul 06 '22 11:07 jamgregory