Actions
Bug #4968
openAPI with SSO access requires some CSRF protection
Status:
New
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Description
The API can be accessed with our SSO implementations (e.g. REMOTE_USER, mod_auth_kerb), an existing session (#4776, #4895) or the HTTP basic auth "SSO" impl.
When using SSO impls, we should employ some CSRF protection so a user with say, an active Kerberos ticket, can't be attacked to perform API requests using their active SSO.
See https://github.com/theforeman/foreman/pull/1331#issuecomment-39075332 for some background.
Updated by Dominic Cleal over 10 years ago
- Related to Bug #4895: API should check for the presence of a CSRF token when there is a session user added
Actions