Closed JordanRifaey closed 5 months ago
blizzz
commented
9 months ago Ok, so that is what @deployHuman referred to in https://github.com/slimphp/Slim-Csrf/pull/143#issue-1044611332
https://github.com/slimphp/Slim-Csrf/blob/f66be9740283ed4f432535aff3623540e178013a/src/Guard.php#L272 and https://github.com/slimphp/Slim-Csrf/blob/f66be9740283ed4f432535aff3623540e178013a/src/Guard.php#L280 would need to be changed.
akrabat
commented
5 months ago This needs addressing, but as it's a BC break, we'll need to roll a 2.0 for it I think.
Until then, you can add:
underscores_in_headers onto your nginx config as per https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
deployHuman
commented
5 months ago hehe yeah my first PR got little to no love, i think i was too bad at describing what problem i had stumbled on. Now tho, i have moved on long time ago, a problem cant take 3 years to fix ^^ I think its a warning-sign on how active this repo is :D
All good whishes from me tho! take care
akrabat
commented
5 months ago a problem cant take 3 years to fix
I agree. Catching Covid back in 2021 has proven to be challenging for some of us and the team is very small. No excuses, it's just where it is at.
deployHuman
commented
5 months ago Putting no blame on you! Remember its still open source. And we recently saw what a difficult position it is to be a owner of a repo from that whole "XZ-trust-attack" news hope you and everyone fully recover and take care! Much love from Sweden /G
akrabat
commented
5 months ago Fixed in #186.
@blizzz @akrabat regarding this PR to enable csrf token check in http header: https://github.com/slimphp/Slim-Csrf/pull/175
It seems that the CSRF keys have an underscore in them, and NGINX does not support underscores in headers. Is there any way to customize the csrf keys so we can remove the underscore?