Remove now-unnecessary CSRF tokens (!472) · Merge requests · Warren Gifford / sourcegraph

Closed Warren Gifford requested to merge remove-csrf-check into master 6 years ago

Created by: sqs

The routes that are protected by CSRF tokens all only need to accept JSON post data. So we can remove CSRF tokens. This removes a lot of complexity in our security model (@slimsag, @keegancsmith, and I have spent time researching whether our CSRF tokens impl is correct, when it isn't actually being used for anything).

Note that this just removes CSRF tokens, not CORS or other CSRF protections.

See commit messages.

fix https://github.com/sourcegraph/enterprise/issues/11121
https://github.com/sourcegraph/sourcegraph/pull/241#issuecomment-427359458

Activity

Please register or sign in to reply

Remove now-unnecessary CSRF tokens

Merge request reports

Activity