Github user kxepal commented on a diff in the pull request:
https://github.com/apache/couchdb-couch/pull/80#discussion_r35985957
--- Diff: src/couch_httpd.erl ---
@@ -387,6 +388,35 @@ valid_hosts() ->
List = config:get("httpd", "valid_hosts", ""),
re:split(List, ",", [{return, list}]).
+validate_csrf(#httpd{} = Req) ->
+ case header_value(Req, "Cookie") of
+ undefined ->
+ ok;
+ Value ->
+ Cookies = mochiweb_cookies:parse_cookie(Value),
+ Cookie = couch_util:get_value("Csrf-token", Cookies),
--- End diff --
Can we have CSRF cookie name configurable to avoid possible collisions with
other web services that also defined CSRF protection? I cannot name any that
uses the same "Csrf-token" value (Django have "csrftoken", Pyramid -
"csrf_token"), but collision probability rate is still could be high here.
Or may be use "CouchDB-CSRF-Token" name by default - unlikely it will cause
any problems.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
