Enhance the CSRF tokens

data-govt-nz / ckanext-security

A CKAN extension to hold various security improvements for CKAN

GNU Affero General Public License v3.0

25 stars 32 forks source link

Enhance the CSRF tokens #25

Closed camfindlay closed 3 years ago

camfindlay commented 5 years ago

Look to amend our tokens using the approach put forward at https://github.com/qld-gov-au/ckan-ex-qgov/pull/6/files

ThrawnCA commented 5 years ago

Description is at https://github.com/data-govt-nz/ckanext-security/issues/23#issuecomment-508620040

ThrawnCA commented 4 years ago

Bump.

We've been running data.qld.gov.au and publications.qld.gov.au on the new HMAC-based token format for several months, and it seems to be working well.

camfindlay commented 4 years ago

@ThrawnCA nice one! Take it we can close this issue?

ThrawnCA commented 4 years ago

@camfindlay No, what I'm suggesting is that the HMAC-based token format from https://github.com/qld-gov-au/ckan-ex-qgov/pull/6/ should be merged into this extension. It can't just be cherry-picked, because things were restructured a bit when importing our CSRF filter into ckanext-security, but it should be pretty straightforward.