Skip to content

fix: disable logout on GET to prevent CSRF logout attacks#990

Open
ankushchk wants to merge 1 commit intoalphaonelabs:mainfrom
ankushchk:fix/csrf-logout-on-get
Open

fix: disable logout on GET to prevent CSRF logout attacks#990
ankushchk wants to merge 1 commit intoalphaonelabs:mainfrom
ankushchk:fix/csrf-logout-on-get

Conversation

@ankushchk
Copy link

@ankushchk ankushchk commented Mar 1, 2026
edited by coderabbitai bot
Loading

Related issues

ACCOUNT_LOGOUT_ON_GET = True allows any website to silently log out a
logged-in user by embedding a simple <image> tag:

<img src="https://alphaonelabs.com/accounts/logout/">

Checklist

  • Did you run the pre-commit?
  • Did you test the change?
  • Added screenshots to the PR description (if applicable)

Summary by CodeRabbit

  • Bug Fixes
    • Improved logout security by restricting logout requests to POST method only.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 1, 2026

👀 Peer Review Required

Hi @ankushchk! This pull request does not yet have a peer review.

Before this PR can be merged, please request a review from one of your peers:

  • Go to the PR page and click "Reviewers" on the right sidebar.
  • Select a team member or contributor to review your changes.
  • Once they approve, this reminder will be automatically removed.

Thank you for contributing! 🎉

@github-actions github-actions bot added the files-changed: 1 PR changes 1 file label Mar 1, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 1, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e694ce8 and fad3d90.

📒 Files selected for processing (1)
  • web/settings.py

Walkthrough

A configuration setting in web/settings.py has been updated, changing ACCOUNT_LOGOUT_ON_GET from True to False with accompanying comments explaining the CSRF risk mitigation rationale.

Changes

Cohort / File(s) Summary
Configuration Update
web/settings.py		 Changed ACCOUNT_LOGOUT_ON_GET setting from True to False with explanatory comments regarding CSRF security considerations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: disabling logout on GET requests to prevent CSRF attacks, which matches the core objective of the pull request.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

files-changed: 1 PR changes 1 file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ankushchk