Add CSRF protection to all modification requests

kakwa / ldapcherry

Web UI for managing users and groups in multiple directory services.

MIT License

225 stars 70 forks source link

Add CSRF protection to all modification requests #41

Open Hiryus opened 5 years ago

Hiryus commented 5 years ago

This PR adds a random token to all modification requests to prevent CSRF attacks (see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) for a complete description of CSRF).

I was not able to run all tests though (I don't have any active directory handy especially).

coveralls commented 5 years ago

Coverage decreased (-1.6%) to 79.154% when pulling bc049eedece218f66277978bace2de0491af5963 on Hiryus:csrf-protection into 856157af799dc54ab66ef0e58d0c68fdcfb9b5cc on kakwa:master.

Hiryus commented 5 years ago

The library secret was added in python 3, but there is a back-port named python2-secrets if needed. Not sure how to use it only when using python 2 though...