Re: Hidden Field Name for Token For Struts 1.3

[Yasser Zamani]

On 2018/09/25 15:41:47, hanzhid...@gmail.com  wrote: 
> Hi,
> Struts version: 1.3
> 
> Currently our web application is using  struts tag  on the jsp 
> page. This tag will generate the html response with the hidden form field 
> org.apache.struts.taglib.html.TOKEN.  This field is used for storing CSRF 
> token. We are concerned that public user accessing our web application will 
> see this field name at the browser side, and able to know that our backend 
> application is using struts. This could lead to security risk.
> 
> We would like to know if struts 1.3 allows developer to change the name of 
> the generated hidden field for storing token, so that we can change the use 
> name to other than org.apache.struts.taglib.html.TOKEN.  
> 

I don't think so as even Struts 2 doesn't have such feature. Struts 1 isn't 
supported due to EOL but thanks a lot for your tip which can being applied on 
Struts 2.

Regards.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Hidden Field Name for Token For Struts 1.3

[hanzhiding]

Hi,
Struts version: 1.3

Currently our web application is using  struts tag  on the jsp page. 
This tag will generate the html response with the hidden form field 
org.apache.struts.taglib.html.TOKEN.  This field is used for storing CSRF 
token. We are concerned that public user accessing our web application will see 
this field name at the browser side, and able to know that our backend 
application is using struts. This could lead to security risk.

We would like to know if struts 1.3 allows developer to change the name of the 
generated hidden field for storing token, so that we can change the use name to 
other than org.apache.struts.taglib.html.TOKEN.  

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org