From 4b8378a156a4ee7a2a1e57a83631583910a18378 Mon Sep 17 00:00:00 2001 From: Ben Sima Date: Wed, 17 Mar 2021 17:25:52 -0400 Subject: Remove TODO about XSRF setting Since we don't use a JavaScript frontend, we don't actually need any XSRF protection. All of the requests will be coming from the browser, not from a computer running inside the browser (js). --- Biz/Devalloc.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Biz/Devalloc.hs b/Biz/Devalloc.hs index 04ee90e..1b76cc6 100644 --- a/Biz/Devalloc.hs +++ b/Biz/Devalloc.hs @@ -542,7 +542,7 @@ liveCookieSettings :: Auth.CookieSettings liveCookieSettings = Auth.defaultCookieSettings { Auth.cookieIsSecure = Auth.Secure, - -- TODO: fix this, add js snippet + -- disable XSRF protection because we don't use any javascript Auth.cookieXsrfSetting = Nothing } -- cgit v1.2.3