CSRF token and caching
Dridi Boukelmoune
dridi at varni.sh
Wed May 25 12:23:39 CEST 2016
On Wed, May 25, 2016 at 11:02 AM, Pinakee BIswas <pinakee at waltzz.com> wrote:
> Hi,
>
> Our backend uses CSRF tokens for form posts. For pages with forms, if
> Varnish caching is enabled for such pages, form post is failing due to CSRF
> error. Is there a way to handle this? I have been reading that using ESI is
> a solution.
>
> Would really appreciate if someone could help with the above.
IIUC a client may GET a page that contains tokens for a later POST, and
such pages should not be cached by Varnish.
The solution would then be to have your backend add
Cache-Control:private when responses target specific clients.
Dridi
More information about the varnish-misc
mailing list