Problem
In my online store I'm using custom Smarty templates that contain POST method. How can I make my HTML forms more secure?
Solution
Starting from Odin Automation 7.1, CSRF protection is added to HTML forms that contain POST method. CSRF Protection is a security protection algorithm which is intended to guard POST-data while processing POST forms (for more information, refer to https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).
In the product, all HTML forms with the POST method and the operationType parameter inside now contain the hidden element with a CSRF token <input name="CSRFToken" type="hidden" value="<token>" /> added by the {GetCSRFTokenElement} function.
You must manually update your custom Smarty templates by adding a CSRF token inside your forms as demonstrated in the example below:
<!--
domain_renew.tpl
variables: $state->domain - entered domain name
-->
<form action="{$baseURL}" method="post"
id="operation_renew"
onSubmit="ValidateForm('operation_{$pos}', event);">
{GetCSRFTokenElement}
<input type="hidden" name="operationType" value="renew" />
...
</form>
Custom templates that contain POST method but do not contain a CSRF token will not work after the upgrade to Odin Automation 7.1.