I’ve looked at the Gravity documentations about CSRF and it looks like CSRF protection should be implemented native ly in Gravity bu using the WordPress nonce. But every time I create a post,I can not see any csrf field to be generated inside the output HTML.
There is just a “state_1” field (with a hash like value) added to the form when it is submitted. But the weird thing is that when I change a character of that hash code and repost the form, it does work.
And here are my two solutions. How CSRF implemented in forms? If there is not active by defatult how can I activate it?
Cross-Site Request Forgery (CSRF) attacks only really impact authenticated forms, because during the attack you’re forcing another user to take an action on your behalf, if you can already do this action yourself (as there’s no authentication), then there is no point in forcing another user to do this for you.
If your form is intended for authenticated users then you should enable the “require user to be logged in” form setting to unwanted prevent impersonation submissions. When that setting is enabled a nonce check is added.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.