[L-3] isAjax treats presence of HTTP_X_CSRF_TOKEN as AJAX

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: LOW

Location: src/Controllers/BaseController.php:203-208

Bug: Any non-XHR request with a CSRF header is classified as AJAX.

Fix: Require X-Requested-With or JSON Accept instead.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:58pm

Resolved.

BaseController::isAjax no longer treats the presence of X-CSRF-TOKEN as an AJAX signal (src/Controllers/BaseController.php). The method now requires either X-Requested-With: XMLHttpRequest or Accept: application/json. A regular form POST that happens to include the CSRF header no longer gets a JSON response back.

Locking this thread.

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy