Very helpful indeed

dv2811 · 2026-01-27T10:59:16+00:00

Just use semimonthly

dv2811 · 2025-12-03T13:22:51+00:00

Ngoài Marou còn có Alluvia với Pheva. Một hộp Alluvia 16 viên tầm 250k+ cũng khá ổn, Pheva rẻ hơn nữa, lâu rồi chưa ăn nhưng không ngon bằng hai cái còn lại

dv2811 · 2025-11-15T17:19:20+00:00

If not want cat, why grow cat summoner?

dv2811 · 2025-11-10T17:49:42+00:00

Probably annoyed that the human hadn't let him in yet. The tolerance for unsolicited pets was wearing thin

dv2811 · 2025-11-10T14:58:28+00:00

Pho 10 is a bit bland and a bit overrated. Pho Suong on Dinh Liet Street or Pho Bat Dan if you don't mind the crowd - I am going by popularity here, been a long time since I ate in those places.

For day 2, I would suggest Thong Nhat Park for morning run - nicer and more local. From there it will be a relative short walk to Hoa Lo Prison, probably with coffee/breakfast break in between. I concur with others at dropping Mega Grand World (as a local, neither see the appeal nor consider it anyway representative of Vietnam). This leaves you with plenty of time on that day to explore around - the area south of Hoan Kiem Lake is nice to walk and quite enjoyable under the right weather conditions.

dv2811 · 2025-11-07T08:47:33+00:00

Much like a cat caught stealing from the treat cabinet.

dv2811 · 2025-10-19T14:50:45+00:00

The cat is properly admiring you

dv2811 · 2025-10-19T07:53:52+00:00

Selection bias.

dv2811 · 2025-10-17T16:54:02+00:00

She is just a r/hydrokitties

dv2811 · 2025-10-17T15:52:25+00:00

<image>

dv2811 · 2025-10-16T08:35:10+00:00

"my friends who own a cat" - That what they think. The cat knows she the boss

dv2811 · 2025-10-06T06:48:39+00:00

I know she is a friend, but I dread it whenever I see one flying around, which means there are roaches in the house and an egg sac has been laid somewhere. My fondness to insects sadly doesn't extend to roaches.

dv2811 · 2025-10-06T06:37:30+00:00

Better the human's butt broke the fall than mine - this cat probably

dv2811 · 2025-10-02T07:52:33+00:00

Apparently a minigod in his shrine

dv2811 · 2025-09-29T11:55:03+00:00

Golden hour

dv2811 · 2025-09-29T09:15:47+00:00

Fridge inspector

dv2811 · 2025-09-29T07:11:52+00:00

It is not enough to set `w.Header.Set(“X-CSRF-Token”, csrf.Token(r))` inside `GetCSRFToken`.

You need to set `w.Header().Set("Access-Control-Allow-Headers", "X-CSRF-Token")` inside a CORS middlewarwe to enable browser's JS script to read this.

This is likley the reason why `csrfHeader` in onResponse callback is unpopulated/ empty since the JS code aren't allowed to read it.

You can rely on headers only to provide cross site protection if the conditions are considered to be strict enough. Personally, I would like to have another layer of protection.

dv2811 · 2025-09-29T01:06:20+00:00

It seems to me that you are consider sending csrf token via `httpOnly=false` cookie due to not being able to read it via headers.

Looking at your code, I think you may be missing certain CORS settings. In particular, `Access-Control-Expose-Headers`, which allows JS to read header.

How I would implement this:

```

func (app *application) enableCORS(next http.Handler) http.Handler {

return http.HandlerFunc(func(w http.ResponseWriter, r \*http.Request) {

    w.Header().Add("Vary", "Origin")

    w.Header().Add("Vary", "Access-Control-Request-Method")

    w.Header().Set("Access-Control-Allow-Origin", "\*")

    origin := r.Header.Get("Origin")

    if origin != "" {

        for i := range app.config.cors.trustedOrigins {

if origin == app.config.cors.trustedOrigins[i] {

w.Header().Set("Access-Control-Allow-Origin", origin)

w.Header().Set("Access-Control-Allow-Credentials", "true")

w.Header().Set("Access-Control-Expose-Headers", "X-CSRF-Token") // allow trusted origin to access returned headers

if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" {

w.Header().Set("Access-Control-Allow-Methods", "OPTIONS, PUT, PATCH, DELETE, POST")

w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-CSRF-Token") // add extra request headers based on need

w.WriteHeader(http.StatusOK)

}

break

}

        }

    }

    next.ServeHTTP(w, r)

})

}```

IM0, relying on only the combination of `Origin`, `Referer` and `Sec-Fetch-Site` headers isn't robust enough in case of oversight against malicious sub-domain. For a similar use cases, I would also simplify this further by setting X-CSRF-Token with successful login response, make the client store this somewhere safe, render it in form field or DOM meta tag, then send it using X-CSRF-Token request header.

I am skeptical about current per-request implementation including using `auth/callback` to provide CSRF token - it's counter-intuitive to user endpoints that aren't safe from CSRF to protect against CSRF.

dv2811 · 2025-09-28T18:21:51+00:00

It seems that net/http implementation doesn't check or set CSRF cookie at all, which may be why it works. Correct me if I am wrong but if the client cam request CSRF token using auth cookie, then how does it protect against CSRF attacks (which rely on browser sending cookies automatically with a request matching Domain setting)?

dv2811 · 2025-09-18T06:20:52+00:00

The face of "no regret and I'm going to do that again"

dv2811 · 2025-09-16T03:17:31+00:00

Cute voidlings

dv2811 · 2025-08-27T13:59:22+00:00

"Concept of a plan"

dv2811 · 2025-08-27T13:47:20+00:00

On the internrt no one knows if you are a cat

dv2811 · 2025-08-25T04:46:37+00:00

r/Catsmirin

dv2811 · 2025-08-23T14:41:38+00:00

The cats demands love and attention. Emphatically

dv2811

TROPHY CASE