Add a policy to require user interaction on certain inbound cross-site requests
Problem
There are a number of cases where we expect cross-site requests into FusionAuth, such as on a forgot password flow and inbound magic links. When these links are delivered to users by email, some security-focused link checkers will follow the links to assess risk. When the links include information to evoke state changes in FusionAuth (e.g. invalidating one-time use codes), this can make it so the legitimate click by the user will no longer work.
Solution
Add a policy to force user interaction in these cases, so that a request from a link checker will receive a form but will not change state in FusionAuth. Only a submission of the form from a user click will cause that to happen. Link checkers should not be posting a returned form.
Alternatives/workarounds
No known workarounds, other than to turn down the aggressiveness of a link checker.
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
Add a policy to require user interaction on certain inbound cross-site requests
Problem
There are a number of cases where we expect cross-site requests into FusionAuth, such as on a forgot password flow and inbound magic links. When these links are delivered to users by email, some security-focused link checkers will follow the links to assess risk. When the links include information to evoke state changes in FusionAuth (e.g. invalidating one-time use codes), this can make it so the legitimate click by the user will no longer work.
Solution
Add a policy to force user interaction in these cases, so that a request from a link checker will receive a form but will not change state in FusionAuth. Only a submission of the form from a user click will cause that to happen. Link checkers should not be posting a returned form.
Alternatives/workarounds
No known workarounds, other than to turn down the aggressiveness of a link checker.
Related
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.