Posted February 2, 20223 yr Hello, Google Search console notified my of a bunch of non-descript Commerce 500 Error URL's, presumably product page URLs, that had failed validation and I noticed that the CSRF keys are logged. They don't seem very SEO friendly and I wondered if they should be part of the recent SEO review. Secondly, I was wondering what your (IPS) take is on making these CSRF keys available in URLs? Presumably they are time limited so a bad actor obtaining them wouldn't be able to make use of them but wouldn't POST be a more secure method of passing and receiving security related values? I'm no expert but have read advice for and against making them available in URLs. Many thanks.
February 2, 20223 yr Community Expert An invalid CSRF key should return a 403 rather than a 500. Could you please provide the full URL here? CSRF keys are slowly be removed from the URL and propositioned more in the body. This will be something I will follow up with our dev team on as it may just be we haven't gotten here quite yet.
February 2, 20223 yr Author Thanks for the super fast reply. Those URLs just had my site domain in front, the one I selected / entered when creating this topic. Is that what you mean? I can add the export download file if safe to do so. When I tested one just now is passed the Live Test option as available for reindexing. Edited February 2, 20223 yr by The Old Man
February 2, 20223 yr Community Expert 3 minutes ago, The Old Man said: Thanks for the super fast reply. Those URLs just had my site domain in front, the one I selected / entered when creating this topic. Is that what you mean? I can add the export download file if safe to do so. When I tested one just now is passed the Live Test option as available for reindexing. Yeah, I just want to go to one of these with the exact CSRF key to see why it is claiming a 500 error rather than a 403. If you feel more comfortable messaging me it, feel free to do so.
February 2, 20223 yr Community Expert When performing a GET request to these URLs uncached, I am getting a 403 as expected. Most of these look to be crawled not too long ago so it could be something has been resolved. I would recommend having Google re-crawl these to see if this issue has been since resolved.
