The Old Man Posted February 2, 2022 Share Posted February 2, 2022 Hello, Google Search console notified my of a bunch of non-descript Commerce 500 Error URL's, presumably product page URLs, that had failed validation and I noticed that the CSRF keys are logged. They don't seem very SEO friendly and I wondered if they should be part of the recent SEO review. Secondly, I was wondering what your (IPS) take is on making these CSRF keys available in URLs? Presumably they are time limited so a bad actor obtaining them wouldn't be able to make use of them but wouldn't POST be a more secure method of passing and receiving security related values? I'm no expert but have read advice for and against making them available in URLs. Many thanks. Link to comment Share on other sites More sharing options...
Jim M Posted February 2, 2022 Share Posted February 2, 2022 An invalid CSRF key should return a 403 rather than a 500. Could you please provide the full URL here? CSRF keys are slowly be removed from the URL and propositioned more in the body. This will be something I will follow up with our dev team on as it may just be we haven't gotten here quite yet. The Old Man 1 Link to comment Share on other sites More sharing options...
The Old Man Posted February 2, 2022 Author Share Posted February 2, 2022 (edited) Thanks for the super fast reply. Those URLs just had my site domain in front, the one I selected / entered when creating this topic. Is that what you mean? I can add the export download file if safe to do so. When I tested one just now is passed the Live Test option as available for reindexing. Edited February 2, 2022 by The Old Man Link to comment Share on other sites More sharing options...
Jim M Posted February 2, 2022 Share Posted February 2, 2022 3 minutes ago, The Old Man said: Thanks for the super fast reply. Those URLs just had my site domain in front, the one I selected / entered when creating this topic. Is that what you mean? I can add the export download file if safe to do so. When I tested one just now is passed the Live Test option as available for reindexing. Yeah, I just want to go to one of these with the exact CSRF key to see why it is claiming a 500 error rather than a 403. If you feel more comfortable messaging me it, feel free to do so. Link to comment Share on other sites More sharing options...
The Old Man Posted February 2, 2022 Author Share Posted February 2, 2022 PM sent! Thank you. Link to comment Share on other sites More sharing options...
Jim M Posted February 2, 2022 Share Posted February 2, 2022 When performing a GET request to these URLs uncached, I am getting a 403 as expected. Most of these look to be crawled not too long ago so it could be something has been resolved. I would recommend having Google re-crawl these to see if this issue has been since resolved. The Old Man 1 Link to comment Share on other sites More sharing options...
The Old Man Posted February 2, 2022 Author Share Posted February 2, 2022 Thanks Jim, much appreciated. Jim M 1 Link to comment Share on other sites More sharing options...
Recommended Posts