mirror/TimeTracker
1
0
Fork 0
mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2026-01-06 03:30:25 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
15c378bf7d0a520b25bfcfd5c5a037dac75092af
TimeTracker/COMMIT_MESSAGE.txt
Dries Peeters e61c628526 feat: enhance CSRF protection with double-submit cookie pattern 
Implement comprehensive CSRF token management with cookie-based
double-submit pattern to improve security and SPA compatibility.

Changes:
- Add CSRF cookie configuration in app/config.py
  * WTF_CSRF_SSL_STRICT for strict SSL validation in production
  * CSRF_COOKIE_NAME (default: XSRF-TOKEN) for framework compatibility
  * CSRF_COOKIE_SECURE inherits from SESSION_COOKIE_SECURE by default
  * CSRF_COOKIE_HTTPONLY, CSRF_COOKIE_SAMESITE, and CSRF_COOKIE_DOMAIN settings

- Implement CSRF cookie handler in app/__init__.py
  * Set CSRF token in cookie after each request
  * Configure cookie with secure flags based on environment settings
  * Support for double-submit pattern and SPA frameworks

- Add client-side CSRF token management in base.html
  * JavaScript utilities for token retrieval and validation
  * Cookie synchronization for frameworks that read XSRF-TOKEN
  * Auto-refresh mechanism for stale tokens (>15 minutes)
  * Pre-submit token validation and refresh
  * User notification for missing cookies/tokens

- Clean up docker-compose.yml environment variables
  * Remove redundant SECRET_KEY, WTF_CSRF_*, and cookie security settings
  * These are now managed through .env files and config.py

This enhancement provides better CSRF protection while maintaining
compatibility with modern JavaScript frameworks and SPA architectures.
2025-10-13 12:51:23 +02:00

31 lines
1.4 KiB
Plaintext
Raw Blame History

feat: enhance CSRF protection with double-submit cookie pattern
Implement comprehensive CSRF token management with cookie-based
double-submit pattern to improve security and SPA compatibility.
Changes:
- Add CSRF cookie configuration in app/config.py
* WTF_CSRF_SSL_STRICT for strict SSL validation in production
* CSRF_COOKIE_NAME (default: XSRF-TOKEN) for framework compatibility
* CSRF_COOKIE_SECURE inherits from SESSION_COOKIE_SECURE by default
* CSRF_COOKIE_HTTPONLY, CSRF_COOKIE_SAMESITE, and CSRF_COOKIE_DOMAIN settings
- Implement CSRF cookie handler in app/__init__.py
* Set CSRF token in cookie after each request
* Configure cookie with secure flags based on environment settings
* Support for double-submit pattern and SPA frameworks
- Add client-side CSRF token management in base.html
* JavaScript utilities for token retrieval and validation
* Cookie synchronization for frameworks that read XSRF-TOKEN
* Auto-refresh mechanism for stale tokens (>15 minutes)
* Pre-submit token validation and refresh
* User notification for missing cookies/tokens
- Clean up docker-compose.yml environment variables
* Remove redundant SECRET_KEY, WTF_CSRF_*, and cookie security settings
* These are now managed through .env files and config.py
This enhancement provides better CSRF protection while maintaining
compatibility with modern JavaScript frameworks and SPA architectures.
Reference in New Issue View Git Blame Copy Permalink