diff options
| author | Adam Mathes <adam@adammathes.com> | 2026-02-16 14:02:48 -0800 |
|---|---|---|
| committer | Adam Mathes <adam@adammathes.com> | 2026-02-16 14:02:48 -0800 |
| commit | 2e459c911031669080bc110059cf2b4b19c5379d (patch) | |
| tree | 60650c8fc5e2d919b5e6fdb4b073b0f0f4d54d8e /web/static | |
| parent | 52ea335714f2b495b92f87636c269b73b4067066 (diff) | |
| download | neko-2e459c911031669080bc110059cf2b4b19c5379d.tar.gz neko-2e459c911031669080bc110059cf2b4b19c5379d.tar.bz2 neko-2e459c911031669080bc110059cf2b4b19c5379d.zip | |
Enhance CSRF protection for login page
Login form now includes a CSRF token from the cookie as a hidden form
field. The CSRF middleware accepts tokens from either the X-CSRF-Token
header (for JS clients) or the csrf_token form field (for HTML forms).
Removed /login from the CSRF exclusion list so login POSTs are now
validated.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Diffstat (limited to 'web/static')
| -rw-r--r-- | web/static/login.html | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/web/static/login.html b/web/static/login.html index c7d0a03..c469528 100644 --- a/web/static/login.html +++ b/web/static/login.html @@ -115,7 +115,8 @@ <body> <div class="login-card"> <h1>Welcome Back</h1> - <form action="/login/" method="post"> + <form action="/login/" method="post" id="login-form"> + <input type="hidden" name="csrf_token" id="csrf_token" value=""> <div class="input-group"> <label for="username">Username</label> <input type="text" id="username" name="username" required autofocus autocomplete="username"> @@ -126,6 +127,10 @@ </div> <button type="submit">Sign In</button> </form> + <script> + var match = document.cookie.split('; ').find(function(row) { return row.startsWith('csrf_token='); }); + if (match) document.getElementById('csrf_token').value = match.split('=')[1]; + </script> <div class="footer"> Neko RSS Reader </div> |