On 2018/09/25 15:41:47, hanzhid...@gmail.com <hanzhid...@gmail.com> wrote:
> Hi,
> Struts version: 1.3
>
> Currently our web application is using struts tag <html:form> on the jsp
> page. This tag will generate the html response with the hidden form field
> org.apache.struts.taglib.html.TOKEN. This field is used for storing CSRF
> token. We are concerned that public user accessing our web application will
> see this field name at the browser side, and able to know that our backend
> application is using struts. This could lead to security risk.
>
> We would like to know if struts 1.3 allows developer to change the name of
> the generated hidden field for storing token, so that we can change the use
> name to other than org.apache.struts.taglib.html.TOKEN.
>
I don't think so as even Struts 2 doesn't have such feature. Struts 1 isn't
supported due to EOL but thanks a lot for your tip which can being applied on
Struts 2.
Regards.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
