search

vanderaj / gaiabb

Full featured web forum software written in PHP
https://github.com/vanderaj/gaiabb
2 stars 1 forks source link

CSRF token should be a POST not a GET variable #91

Closed vanderaj closed 4 years ago

vanderaj commented 4 years ago

Contact.php and others stick the CSRF token in the URL.

Make it a header value or a POST variable. Non-idempotent GET requests do not need CSRF protection.