Hi, Struts version: 1.3 Currently our web application is using struts tag <html:form> on the jsp page. This tag will generate the html response with the hidden form field org.apache.struts.taglib.html.TOKEN. This field is used for storing CSRF token. We are concerned that public user accessing our web application will see this field name at the browser side, and able to know that our backend application is using struts. This could lead to security risk.
We would like to know if struts 1.3 allows developer to change the name of the generated hidden field for storing token, so that we can change the use name to other than org.apache.struts.taglib.html.TOKEN. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
