The Old Man Posted February 2, 2022 Posted February 2, 2022 Hello, Google Search console notified my of a bunch of non-descript Commerce 500 Error URL's, presumably product page URLs, that had failed validation and I noticed that the CSRF keys are logged. They don't seem very SEO friendly and I wondered if they should be part of the recent SEO review. Secondly, I was wondering what your (IPS) take is on making these CSRF keys available in URLs? Presumably they are time limited so a bad actor obtaining them wouldn't be able to make use of them but wouldn't POST be a more secure method of passing and receiving security related values? I'm no expert but have read advice for and against making them available in URLs. Many thanks.
Jim M Posted February 2, 2022 Posted February 2, 2022 An invalid CSRF key should return a 403 rather than a 500. Could you please provide the full URL here? CSRF keys are slowly be removed from the URL and propositioned more in the body. This will be something I will follow up with our dev team on as it may just be we haven't gotten here quite yet. The Old Man 1
The Old Man Posted February 2, 2022 Author Posted February 2, 2022 (edited) Thanks for the super fast reply. Those URLs just had my site domain in front, the one I selected / entered when creating this topic. Is that what you mean? I can add the export download file if safe to do so. When I tested one just now is passed the Live Test option as available for reindexing. Edited February 2, 2022 by The Old Man
Jim M Posted February 2, 2022 Posted February 2, 2022 3 minutes ago, The Old Man said: Thanks for the super fast reply. Those URLs just had my site domain in front, the one I selected / entered when creating this topic. Is that what you mean? I can add the export download file if safe to do so. When I tested one just now is passed the Live Test option as available for reindexing. Yeah, I just want to go to one of these with the exact CSRF key to see why it is claiming a 500 error rather than a 403. If you feel more comfortable messaging me it, feel free to do so.
Jim M Posted February 2, 2022 Posted February 2, 2022 When performing a GET request to these URLs uncached, I am getting a 403 as expected. Most of these look to be crawled not too long ago so it could be something has been resolved. I would recommend having Google re-crawl these to see if this issue has been since resolved. The Old Man 1
The Old Man Posted February 2, 2022 Author Posted February 2, 2022 Thanks Jim, much appreciated. Jim M 1
Recommended Posts