SEC-2886: Session flag to bypass CSRF #3004
Labels
in: web
An issue in web modules (web, webmvc)
type: enhancement
A general enhancement
type: jira
An issue that was migrated from JIRA
Christopher Smith (Migrated from SEC-2886) said:
My application uses identical URI endpoints for both Web and non-Web clients. While I appreciate the importance of CSRF protection for Web interfaces, it would be helpful to be able to specifically tag a session as "this is from a non-Web client and should be ignored by
CsrfFilter
", probably with a specifically-named attribute. This would provide a straightforward and comprehensible point for implementing per-client CSRF policy.The text was updated successfully, but these errors were encountered: