Get started
Loading...
Important Notice - Forums is archived

To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Product icon
TUTORIAL

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.

CssImport when using Component Exporter by Mikhail Shabarov, 1 month ago
Recent Posts
Vaadin Forum3. Vaadin 6, 7, 8

HTTP GET request for /PUSH CSRF Token

Andrew Markham-Davies
7 years ago Jun 16, 2015 3:34pm

Hello all

I have a large Vaadin application which is nearing completion. The client is concerned about security and in perticular the csrf token being passed in a http GET request by Vaadin. Alough I've disabled all http GET request in the application and switched to POST, this request  (/PUSH?v-uid=&csrfToken=) is still a http GET.

Is it not possible to change this? seems a reasabile thing to do

Any help would be greatly appriciated.

Andrew

David Wall
7 years ago Jun 16, 2015 6:41pm

I presume you are using HTTPS with secure TLS ciphers in place and SSL disabled.  Why is there a concern over GET versus POST?  Both are encrypted.  If you are concerned about your server logs being exposed, then of course that means your server is hacked and so most security is impossible to ensure at that point as the web pages you send out can be tampered with and all requests coming in can probably be accessed with simple additions of servlet filters or the like.  If it's just your web server access log, you could just turn off logging the request URL and its query params.