Details

    • Type: Story
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Application Security
    • Labels:
      None

      Description

      As of https://docs.liferay.com/portal/7.1-latest/propertiesdoc/portal.properties.html#Authentication%20Token (analog for previous versions) it's possible to disable CSRF protection (seems to be introduced in LPS-8399) globally. As this is a safe way to disaster if anyone ever does so: Should this still be configurable?

      I'm assuming that this configuration option was introduced originally in fear of breaking apps, so that it could be bypassed as a quick fix. These days it's a feature that can only be used to utterly break security and I'd argue that Liferay shouldn't give users such a powerful way to harm themselves.

      As a minimum, the properties explanation should be a lot more drastical (applied in LPS-81234), but ideally this feature should be removed.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Packages

                  Version Package