ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434514917
##########
webapps/docs/config/filter.xml:
##########
@@ -291,6 +291,13 @@
request. The default value is <code>403</code>.</p>
</attribute>
+ <attribute name="enforce" required="false">
+ <p>A flag to enable or disable enforcement. When enforcement is
+ disabled, the CsrfPreventionFilter will <i>allow all requests</i> and
+ log CSRF failures as DEBUG messages. The default is <b>true</b>,
+ enabling the enforcement of CSRF protections.</p>
+ </attribute>
Review Comment:
Removing the filter from `web.xml` will not produce log messages for CSRF
failures, nor will it add CSRF tokens to URLs produced by the application.
Running in an non-enforcement mode is helpful to collect real-world
information about your application without breaking it.
Please see https://lists.apache.org/thread/47syblyghh3tromyf6bkvl8q14w70f3x
for the initial conversation, where I make the case for a non-enforcement mode.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
