Prevent csrf fixation attack (phx.gen.auth + CSRF) #5725
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Plug.CSRFProtection docs:
I'm curious as to why that advice is not implemented in the
phx.gen.auth
templates.There probably is a good reason I'm missing. If so, add that reason to the documentation?
Further reading:
https://hexdocs.pm/plug/Plug.CSRFProtection.html
https://security.stackexchange.com/a/22936
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html