Skip to content
Snippets Groups Projects

Remove now-unnecessary CSRF tokens

Created by: sqs

The routes that are protected by CSRF tokens all only need to accept JSON post data. So we can remove CSRF tokens. This removes a lot of complexity in our security model (@slimsag, @keegancsmith, and I have spent time researching whether our CSRF tokens impl is correct, when it isn't actually being used for anything).

Note that this just removes CSRF tokens, not CORS or other CSRF protections.

See commit messages.

Merge request reports

Approval is optional

Closed by avatar (Jul 31, 2025 12:03am UTC)

Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply
Loading