Return 403 instead of 500 if no CSRF token given Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid. http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

commit: 05fcc09436c0c34cc5883d7840abc81ad5af7969 [log] [tgz]
author: Kyle Valade <kylevalade@gmail.com> Sun Jul 06 13:43:20 2014 -0700
committer: Kyle Valade <kylevalade@gmail.com> Sun Jul 06 13:43:20 2014 -0700
tree: 5f22b6ab98378ad61bb6c250088c9ccce6fcee35
parent: f7bdd80d72dfcc7a0c49cb1c82df88dc1f992b06 [diff] [blame]
diff --git a/system/core/Security.php b/system/core/Security.php
index c4621d5..f1802f0 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php

@@ -275,7 +275,7 @@
 	 */
 	public function csrf_show_error()
 	{
-		show_error('The action you have requested is not allowed.');
+		show_error('The action you have requested is not allowed.', 403);
 	}
 
 	// --------------------------------------------------------------------
@@ -934,4 +934,4 @@
 }
 
 /* End of file Security.php */
-/* Location: ./system/core/Security.php */
\ No newline at end of file
+/* Location: ./system/core/Security.php */
commit	05fcc09436c0c34cc5883d7840abc81ad5af7969	[log] [tgz]
author	Kyle Valade <kylevalade@gmail.com>	Sun Jul 06 13:43:20 2014 -0700
committer	Kyle Valade <kylevalade@gmail.com>	Sun Jul 06 13:43:20 2014 -0700
tree	5f22b6ab98378ad61bb6c250088c9ccce6fcee35
parent	f7bdd80d72dfcc7a0c49cb1c82df88dc1f992b06 [diff] [blame]