action #1634
closedAdd protection for XSS and XSRF and more security checks in general
Description
More general information:
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Cross-site_request_forgery
More Mojolicious specific information:
http://mojolicio.us/perldoc/Mojolicious/Guides/Rendering#Cross-site_request_forgery
http://mojolicio.us/perldoc/Mojolicious#secrets
http://mojolicio.us/perldoc/Mojolicious/Sessions#secure
https://github.com/koorchik/Mojolicious-Plugin-CSRFProtect
http://search.cpan.org/~shibazaki/Mojolicious-Plugin-CSRFDefender-0.0.8/lib/Mojolicious/Plugin/CSRFDefender.pm
Checklist
- csrf protection for foms
- csrf token in post links
- automatic csrf check for all requests != get
- csrf token in ajax requests
- client support for csrf
- worker support for csrf token
- secure cookies
- secrets
Updated by lnussel almost 11 years ago
Mojolicious-Plugin-CSRFProtect is a bit strange as it duplicates functionality that mojo already provides. Ie it reimplements the function to generate the token and stores the token as 'csrftoken' instead of using mojos' 'csrf_token'
Updated by lnussel almost 11 years ago
- % Done changed from 0 to 30
initial CSRF protection support
- automatically add csrf_token to all forms created with form_for
- new postlink command to create links with data-method post and
csrf_token
pushed to csrf branch
Updated by lnussel almost 11 years ago
- Checklist item changed from to [x] csrf protection for foms, [x] csrf token in post links, [x] automatic csrf check for all requests != get, [x] csrf token in ajax requests, [x] client support for csrf, [ ] worker support for csrf token
Updated by lnussel almost 11 years ago
- Checklist item changed from to [x] worker support for csrf token
Updated by lnussel almost 11 years ago
- Checklist item changed from [x] csrf protection for foms, [x] csrf token in post links, [x] automatic csrf check for all requests != get, [x] csrf token in ajax requests, [x] client support for csrf, [x] worker support for csrf token to [x] csrf protection for foms, [x] csrf token in post links, [x] automatic csrf check for all requests != get, [x] csrf token in ajax requests, [x] client support for csrf, [x] worker support for csrf token, [ ] secure cookies, [ ] secrets
- % Done changed from 40 to 70
Updated by lnussel almost 11 years ago
don't store openid in config file, compute it on startup
Updated by lnussel almost 11 years ago
- Checklist item changed from to [x] secrets
Updated by lnussel almost 11 years ago
- % Done changed from 70 to 80
secrets are stored in the database now
Updated by lnussel almost 11 years ago
- Checklist item changed from to [x] secure cookies
Updated by lnussel almost 11 years ago
- Status changed from In Progress to Resolved
- % Done changed from 80 to 100
added https redirect for login, secure cookies, hsts headers