[
https://issues.apache.org/jira/browse/COUCHDB-2769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14698357#comment-14698357
]
ASF subversion and git services commented on COUCHDB-2769:
----------------------------------------------------------
Commit 361071675ac074fa565f71f8142a79c668aa6d41 in couchdb-fauxton's branch
refs/heads/master from [~robertkowalski]
[ https://git-wip-us.apache.org/repos/asf?p=couchdb-fauxton.git;h=3610716 ]
csrf: add CSRF indicator
adds a small indicator to the sidebar if we are protected
against CSRF.
to test, comment `res.setHeader('x-couchdb-csrf-valid', 'true');`
in `tasks/couchserver.js` and browse without logging into fauxton
we have to modify the dev-server to test as the dev-version of
fauxton fetches the html templates through it with ajax, which is
disturbing for the detection.
this closes COUCHDB-2769
PR: #497
PR-URL: https://github.com/apache/couchdb-fauxton/pull/497
Reviewed-By: garren smith <[email protected]>
> Indicate when CSRF protection is active
> ---------------------------------------
>
> Key: COUCHDB-2769
> URL: https://issues.apache.org/jira/browse/COUCHDB-2769
> Project: CouchDB
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: Fauxton
> Reporter: Robert Newson
> Assignee: Robert Kowalski
>
> Any request that was protected by CouchDB's native CSRF prevention system
> will return a X-CouchDB-CSRF-Valid response header with value "true".
> Indicate on every screen whether this happens or not. Doesn't have to be
> prominent but should always be present (indicating protected vs not protected
> clearly).
> Suggestion is the phrase "CSRF protected" appears in green vs "CSRF
> vulnerable" in red somewhere in the bottom left where Logout and logo live.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
