keishidesu / mmucraft-website Goto Github PK

Occurs during an invitation request attempt. Entered email address, completed Recaptcha challenge, and then replace with another email address. Click on submit, the API generates an error.

The error appears to be generated by server-status.read request when responding to the request with a JSON payload.
The abstraction of the error message:

[ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client

Caused by an attempt to send data on a response after the response has already been sent.

After several attempts, couldn't reproduce.

Here. Users submitting the form twice using the same token which result in an error. Need to reset it regardless of any response.

After completion of this, this part needs to be fixed.

Summary of the feedbacks

1. The webpage generates error messages.
2. HTML forms without CSRF protection.
3. Password field submitted using GET method. (???)
4. Clickjacking protection.
5. The website not encrypted (HTTPS required)

Updates

11/9

Regarding item 3, the website never uses GET method in any API call. This detection probably causes by not marking form action with POST, which is unnecessary in our case, because everything is in AJAX on the website. Can possibly be solved by marking each form with action="POST"

Item 4 can be solved by adding X-Frame-Options: deny header globally.

23/9

Item 2 might not be necessary since every request is RESTful and no authentication function is involved. Submitted required information for SSL certificate (Item 5). Staged changes for item 3 and 4.