I would like to fix some security issues in the web interface.
I started by submitting a pull request that is supposed to fix xss injection vectors.
Now I would like to add some sort of csrf (cross site request forgery) protection.
What I would do is to add a token to the session once the user is authenticated.
And then check on every request that is changing data somehow if the token was sent as part of the ‘form-data’.
This would break API usage; in case there is any.
To address the API users, I would do the following:
Check if either the right token is set, or if a special header is sent that a normal web-browser could not generate on an attackers behalf.
Any comments? Does my plan make sense to you? Am I overlooking something?
While reading some code, I found other issues that might need a closer look. But first I would like to go for the low hanging fruit.
Anybody interested in teaming up?
Thanks for your time,