You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@storm.apache.org by "Parth Brahmbhatt (JIRA)" <ji...@apache.org> on 2015/04/10 01:38:13 UTC

[jira] [Resolved] (STORM-749) Remove CSRF check from rest API

     [ https://issues.apache.org/jira/browse/STORM-749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Parth Brahmbhatt resolved STORM-749.
------------------------------------
       Resolution: Fixed
    Fix Version/s: 0.11.0

> Remove CSRF check from rest API
> -------------------------------
>
>                 Key: STORM-749
>                 URL: https://issues.apache.org/jira/browse/STORM-749
>             Project: Apache Storm
>          Issue Type: Task
>    Affects Versions: 0.9.3
>            Reporter: Parth Brahmbhatt
>            Assignee: Parth Brahmbhatt
>             Fix For: 0.10.0, 0.11.0
>
>
> I think we can safely get rid of the whole CSRF code. CSRF vulnerability is only exposed when websites use session based authentication. In our case we only use http authentication so we are not really vulnerable to CSRF attacks. Currently the CSRF check only hinders non browser clients.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)