request #42977 Harden CSRF protection by blocking all cross-site state modifying queries to the Web UI

Infos

Artifact ID#42977

Submitted byThomas Gerbet (tgerbet)

Last Modified On2025-05-09 16:22

Submitted on2025-05-09 15:49

Rank44659

Details

Summary *

Harden CSRF protection by blocking all cross-site state modifying queries to the Web UI

Original Submission

By blocking all non-GET/HEAD requests with a Sec-Fetch-Site header set to something else than none or same-origin we could harden our CSRF protection.

For reference Tuleap already do something equivalent for the REST endpoints.

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusUnder review

Close dateEmpty

Attachments

AttachmentsEmpty

References

Cross references

Show items referenced by request #42977

Referenced by request #42977

Other

gerrit #34413

Follow-ups

Thomas Gerbet (tgerbet)

2025-05-09 16:22

See gerrit #34413.

Status changed from Under implementation to Under review

Public

Referenced by request #42977

Other

Follow-ups