1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Implemented Improve csrf_token to mitigate BREACH attacks

Discussion in 'Closed Suggestions' started by AlexT, Aug 7, 2013.

  1. AlexT

    AlexT Well-Known Member

    XenForo sites running on SSL/TLS may be subject to BREACH attacks. To mitigate the attack, one could improve the csrf_token generated by XenForo. Currently it consists of a random string of 40 characters. Instead, it is suggested to do the following:

     
  2. Mike

    Mike XenForo Developer Staff Member

    The method is different, but it already changes on every request (it's re-hashed based on the time).
     
    Walter and AlexT like this.
  3. AlexT

    AlexT Well-Known Member

    Excellent Mike!
     

Share This Page