HTTP GET request for /PUSH CSRF Token

Hello all

I have a large Vaadin application which is nearing completion. The client is concerned about security and in perticular the csrf token being passed in a http GET request by Vaadin. Alough I’ve disabled all http GET request in the application and switched to POST, this request (/PUSH?v-uid=&csrfToken=) is still a http GET.

Is it not possible to change this? seems a reasabile thing to do

Any help would be greatly appriciated.


I presume you are using HTTPS with secure TLS ciphers in place and SSL disabled. Why is there a concern over GET versus POST? Both are encrypted. If you are concerned about your server logs being exposed, then of course that means your server is hacked and so most security is impossible to ensure at that point as the web pages you send out can be tampered with and all requests coming in can probably be accessed with simple additions of servlet filters or the like. If it’s just your web server access log, you could just turn off logging the request URL and its query params.