GitHub user rnewson opened a pull request:
https://github.com/apache/couchdb-couch/pull/80
Add CSRF protection
If the request parameter `csrf` is set to `true` when successfully
acquiring a session cookie from `_session` an additional cookie
(`Csrf-token`) is returned. All requests that send this new cookie
must also send a header (`X-Csrf-Token`) with the same value. If the
cookie is sent and the header is missing or different, a 403 response
is generated.
Note that the CSRF token is signed by the server so tampering is
detected and also results in a 403 response.
closes COUCHDB-2762
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/cloudant/couchdb-couch 2762-csrf
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/couchdb-couch/pull/80.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #80
----
commit 32fd87b2840b090a40782c2442c268dfca25c9e3
Author: Robert Newson <[email protected]>
Date: 2015-07-31T15:25:36Z
Add CSRF protection
If the request parameter `csrf` is set to `true` when successfully
acquiring a session cookie from `_session` an additional cookie
(`Csrf-token`) is returned. All requests that send this new cookie
must also send a header (`X-Csrf-Token`) with the same value. If the
cookie is sent and the header is missing or different, a 403 response
is generated.
Note that the CSRF token is signed by the server so tampering is
detected and also results in a 403 response.
closes COUCHDB-2762
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
