struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hanzhiding@gmail.com <hanzhid...@gmail.com>
Subject Hidden Field Name for Token For Struts 1.3
Date Tue, 25 Sep 2018 15:41:47 GMT
Hi,
Struts version: 1.3

Currently our web application is using  struts tag <html:form> on the jsp page. This
tag will generate the html response with the hidden form field org.apache.struts.taglib.html.TOKEN.
 This field is used for storing CSRF token. We are concerned that public user accessing our
web application will see this field name at the browser side, and able to know that our backend
application is using struts. This could lead to security risk.

We would like to know if struts 1.3 allows developer to change the name of the generated hidden
field for storing token, so that we can change the use name to other than org.apache.struts.taglib.html.TOKEN.
 

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message