Add csrf checking for cookie posts, fix file hotlinking

2015-08-10 11:44:47 +01:00 · 2015-08-10 11:44:47 +01:00 · b9c6598250
commit b9c6598250
parent 9ccf3d855e
7 changed files with 27 additions and 16 deletions
--- a/web/views/forgot.ejs
+++ b/web/views/forgot.ejs
@ -25,7 +25,7 @@
      <% } %>
      <div class="holder">
          <form role="form" action="/forgot<%= token ? '/' + token : '' %>" method="post">
-
+              <input type="hidden" name="_csrf" value="<%= csrf %>" />
              <% if(typeof error !== 'undefined') { %>
                <div class="alert alert-danger">
                  <%= error %>