#3157 slipped past me last year, and caused most GET-forms in NAV to start putting CSRF tokens into GET-requests.
This is not a good idea:
- CSRF tokens are not necessary for GET requests (unless we've done something wrong and have GET views that change things)
- Putting CSRF tokens in URLs will leak them in the web server logs, which is not good security practice.
#3157 should be replaced by a better solution, though I'm not currently sure what that better solution is.
It's sort of ok at the moment, because we haven't yet switched on CSRF token verification, but once we do (see #3396), this will become a security issue.
#3157 slipped past me last year, and caused most GET-forms in NAV to start putting CSRF tokens into GET-requests.
This is not a good idea:
#3157 should be replaced by a better solution, though I'm not currently sure what that better solution is.
It's sort of ok at the moment, because we haven't yet switched on CSRF token verification, but once we do (see #3396), this will become a security issue.