CSRF protection in CKAN core now

qld-gov-au / ckanext-csrf-filter

A CKAN extension to add protection against Cross-Site Request Forgery attacks

GNU Affero General Public License v3.0

0 stars 6 forks source link

CSRF protection in CKAN core now #39

Open markstuart opened 1 year ago

markstuart commented 1 year ago

Hi team, just wondering if it'd be worth adding some information in the README to indicate why someone might choose to use this extension over the CSRF protection that CKAN core now provides?

Clearly this extension is great for anyone on older versions of CKAN, and we recommend it alongside the https://github.com/data-govt-nz/ckanext-security extension, but possibly it also provides more extensive CSRF protection than the core implementation?

@ThrawnCA any ideas on this?

ThrawnCA commented 1 year ago

Well, it actually is mentioned in the README, although it's not specifically stated to be an advantage over core: "no modifications to existing forms". The core protection has to be disabled if you're using a plugin that hasn't been updated to work with it. This doesn't; it will inject tokens to any template on the fly.