From users-return-93606-archive-asf-public=cust-asf.ponee.io@wicket.apache.org Fri Feb 9 21:27:23 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id E546B180654 for ; Fri, 9 Feb 2018 21:27:23 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id D536D160C4C; Fri, 9 Feb 2018 20:27:23 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 4E229160C3C for ; Fri, 9 Feb 2018 21:27:23 +0100 (CET) Received: (qmail 57675 invoked by uid 500); 9 Feb 2018 20:27:22 -0000 Mailing-List: contact users-help@wicket.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@wicket.apache.org Delivered-To: mailing list users@wicket.apache.org Received: (qmail 57659 invoked by uid 99); 9 Feb 2018 20:27:21 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Feb 2018 20:27:21 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 13C581A07F0 for ; Fri, 9 Feb 2018 20:27:21 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.485 X-Spam-Level: *** X-Spam-Status: No, score=3.485 tagged_above=-999 required=6.31 tests=[DKIM_ADSP_CUSTOM_MED=0.001, NML_ADSP_CUSTOM_MED=1.2, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.972, URI_HEX=1.313] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id NzgnebRDZBmH for ; Fri, 9 Feb 2018 20:27:17 +0000 (UTC) Received: from n4.nabble.com (n4.nabble.com [162.253.133.72]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 205CB5F341 for ; Fri, 9 Feb 2018 20:27:17 +0000 (UTC) Received: from mben.nabble.com (localhost [127.0.0.1]) by n4.nabble.com (Postfix) with ESMTP id BB8351881A1A8 for ; Fri, 9 Feb 2018 13:27:15 -0700 (MST) Date: Fri, 9 Feb 2018 13:27:15 -0700 (MST) From: Entropy To: users@wicket.apache.org Message-ID: <1518208035719-0.post@n4.nabble.com> Subject: CSRF Tokens MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit One of our apps just underwent a security scan, and they complained about Cross-Site Request Forgery (CSRF) vulnerability. Yet, i went to google and found this: https://issues.apache.org/jira/browse/WICKET-1782 Which seems to say that CSRF was fixed in 1.4 of Wicket. We're mostly on 1.6. Is there something we have to do to "turn on" Wicket's CSRF token? -- Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org For additional commands, e-mail: users-help@wicket.apache.org