Hi all,
We are using vaadin 7 and our penetration test has marked it as a vulnerability, that the csrf-token is in the url.
http://localhost:1501//webaccess/PUSH?v-uiId=0&**v-csrfToken=6609aabc-c3d9-492c-a5e4-ff57ff101c53**&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.2.13.vaadin5-javascript&X-Atmosphere-Transport=streaming&X-Atmosphere-TrackMessageSize=true&Content-Type=application%2Fjson%3B%20charset%3DUTF-8&X-atmo-protocol=true&_=1614236794138
I checked that configuring xsrf protection as disabled, removes this token from the request. What we need to achieve is to keeps xsrf protection enabled as well as do not expose the csrf in the url.
Is there any possible way to do so.
Regards Sahil