Project

General

Profile

Actions

action #1634

closed

Add protection for XSS and XSRF and more security checks in general

Added by ancorgs about 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Immediate
Assignee:
Category:
-
Target version:
Start date:
2014-02-20
Due date:
% Done:

100%

Estimated time:
10.00 h


Checklist

  • csrf protection for foms
  • csrf token in post links
  • automatic csrf check for all requests != get
  • csrf token in ajax requests
  • client support for csrf
  • worker support for csrf token
  • secure cookies
  • secrets
Actions #1

Updated by ancorgs about 10 years ago

  • Target version set to Sprint 03
Actions #2

Updated by ancorgs about 10 years ago

  • Assignee set to lnussel
Actions #3

Updated by lnussel about 10 years ago

  • Status changed from New to In Progress
Actions #4

Updated by lnussel about 10 years ago

Mojolicious-Plugin-CSRFProtect is a bit strange as it duplicates functionality that mojo already provides. Ie it reimplements the function to generate the token and stores the token as 'csrftoken' instead of using mojos' 'csrf_token'

Actions #5

Updated by lnussel about 10 years ago

  • % Done changed from 0 to 30
initial CSRF protection support

- automatically add csrf_token to all forms created with form_for
- new postlink command to create links with data-method post and
  csrf_token

pushed to csrf branch

Actions #6

Updated by lnussel about 10 years ago

  • % Done changed from 30 to 40
Actions #7

Updated by lnussel about 10 years ago

  • Checklist item changed from to [x] csrf protection for foms, [x] csrf token in post links, [x] automatic csrf check for all requests != get, [x] csrf token in ajax requests, [x] client support for csrf, [ ] worker support for csrf token
Actions #8

Updated by lnussel about 10 years ago

  • Checklist item changed from to [x] worker support for csrf token
Actions #9

Updated by lnussel about 10 years ago

  • Checklist item changed from [x] csrf protection for foms, [x] csrf token in post links, [x] automatic csrf check for all requests != get, [x] csrf token in ajax requests, [x] client support for csrf, [x] worker support for csrf token to [x] csrf protection for foms, [x] csrf token in post links, [x] automatic csrf check for all requests != get, [x] csrf token in ajax requests, [x] client support for csrf, [x] worker support for csrf token, [ ] secure cookies, [ ] secrets
  • % Done changed from 40 to 70
Actions #10

Updated by lnussel about 10 years ago

don't store openid in config file, compute it on startup

Actions #11

Updated by lnussel about 10 years ago

  • Checklist item changed from to [x] secrets
Actions #12

Updated by lnussel about 10 years ago

  • % Done changed from 70 to 80

secrets are stored in the database now

Actions #13

Updated by lnussel about 10 years ago

  • Checklist item changed from to [x] secure cookies
Actions #14

Updated by lnussel about 10 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 80 to 100

added https redirect for login, secure cookies, hsts headers

Actions

Also available in: Atom PDF