Skip to content

Remove now-unnecessary CSRF tokens

Administrator requested to merge remove-csrf-check into master

Created by: sqs

The routes that are protected by CSRF tokens all only need to accept JSON post data. So we can remove CSRF tokens. This removes a lot of complexity in our security model (@slimsag, @keegancsmith, and I have spent time researching whether our CSRF tokens impl is correct, when it isn't actually being used for anything).

Note that this just removes CSRF tokens, not CORS or other CSRF protections.

See commit messages.

Merge request reports

Loading