Skip to content

[Security] Missing CSRF state validation on attachment deletion endpoint #591

Description

@Pratikshya32

Description

Attachment file deletion endpoints lack CSRF token protection, leaving authenticated user attachments vulnerable to cross-site request forgery attacks via malicious third-party links.

Proposed Refactoring

  • Integrate CSRF middleware protection on all state-modifying API endpoints.
  • Verify double-submit cookies or custom header token validation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions