Dependabot Alert: Atro CSRF Middleware Bypass (security.checkOrigin) #720
Assignees
Labels
Comments
felder101
added
Sprint 47
Addition to Sprint
|
720 Acceptance Criteria
Comments/Additional Notes ADA Compliance (Automated scan via Chrome Lighthouse)
Passed 01/17/2025 - JSD |
|
Thanks for showing/explaining this during Demo. Moving to Done. |
felder101
added a commit
that referenced
this issue
Jan 23, 2025
Sprint 47 issues includes: Dependabot Alert: Atro CSRF Middleware Bypass (security.checkOrigin) #720 Dependabot Alert: Astro's server source code is exposed to the public if source maps are enabled #725 Update to the latest version of USWDS 3.11.0 #722 BUG: Training Report - Selecting an Agency w/o Bureau No Results Returned #728 Update SMTP to reflect GSA IT naming convention standard #736
Merged
felder101
added a commit
that referenced
this issue
Jan 24, 2025
Sprint 47 issues includes: Dependabot Alert: Atro CSRF Middleware Bypass (security.checkOrigin) #720 Dependabot Alert: Astro's server source code is exposed to the public if source maps are enabled #725 Update to the latest version of USWDS 3.11.0 #722 BUG: Training Report - Selecting an Agency w/o Bureau No Results Returned #728 Update SMTP to reflect GSA IT naming convention standard #736
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.
Details
When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)
The text was updated successfully, but these errors were encountered: