Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
CSRF and file upload
Vaadin security page (https://vaadin.com/security) maintains that all requests between the client and the server are included with a user session specific CSRF token.
However, specfically on upload requests (file upload) we do not identify such a mechanism, and we actually got flagged on a penetration test that CSRF prevention is not implemented for that sort of request.
Does anyone know how CSRF token is implemented for file upload in Vaadin? Or is it indeed a vulnerability of the framework?
The token is not the same one that is used for regular communication, but it is instead generated seprately for each Upload component and stored as part of the user's session. This actually means that the protection is slightly stronger for upload requests.
Thanks for thw quick an detaield reponse.