just had our security audit, and it was recommended we don't use query strings for passing the token around:
[...] but in your case I think it's suboptimal. If a user is on a page with a CSRF token in the URL and gets redirected to an external site, the CSRF token will be passed in the referrer header. Because those tokens do not expire after a single use, it means that the site which is recieving the redirect could use it to CSRF that user. Additionally, those tokens might appear in server logs or elsewhere, so it's better to keep them in the body of the request [...]
this said, it'd be nice to just disable the functionality here (rather than having to worry about it upstream). would you be opposed to a pr adding an option to disable query-string support?
jonathanong
commented
8 years ago
just had our security audit, and it was recommended we don't use query strings for passing the token around:
this said, it'd be nice to just disable the functionality here (rather than having to worry about it upstream). would you be opposed to a pr adding an option to disable query-string support?