You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Yasser Zamani <ya...@apache.org> on 2018/10/09 09:17:38 UTC
Re: Hidden Field Name for Token For Struts 1.3
On 2018/09/25 15:41:47, hanzhiding@gmail.com <ha...@gmail.com> wrote:
> Hi,
> Struts version: 1.3
>
> Currently our web application is using struts tag <html:form> on the jsp page. This tag will generate the html response with the hidden form field org.apache.struts.taglib.html.TOKEN. This field is used for storing CSRF token. We are concerned that public user accessing our web application will see this field name at the browser side, and able to know that our backend application is using struts. This could lead to security risk.
>
> We would like to know if struts 1.3 allows developer to change the name of the generated hidden field for storing token, so that we can change the use name to other than org.apache.struts.taglib.html.TOKEN.
>
I don't think so as even Struts 2 doesn't have such feature. Struts 1 isn't supported due to EOL but thanks a lot for your tip which can being applied on Struts 2.
Regards.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org