express-stormpath icon indicating copy to clipboard operation
express-stormpath copied to clipboard
verified publisher icon stormpath

Accept only application/json for /login and /register

Open mdeggies opened this issue 9 years ago • 3 comments

To eliminate security issues in the future, we're going to make sure the /login and /register endpoints accept only application/json. In the event of CSRF attacks, CORS errors will be thrown. -Robert's idea

mdeggies avatar Aug 30 '16 22:08 mdeggies

@mdeggies Is there a timeline on this?

kirps avatar Sep 09 '16 12:09 kirps

@kirps sorry I'm just seeing this now! I will check on this for you.

mdeggies avatar Oct 10 '16 15:10 mdeggies

@kirps After speaking with the JS team, this is a much larger task than anticipated, and will not be completed in the short term. Implementing csrf protection for your app will mitigate any security related issues, and can be achieved with tools like csurf or csrf.

mdeggies avatar Oct 10 '16 18:10 mdeggies