Kyle Isom
446b3df52d
- Fix webauthn.js CSRF token: read HMAC header value from body hx-headers attribute instead of cookie nonce - Update profile labels to mention security keys/FIDO2 alongside passkeys Security: CSRF double-submit was broken for fetch()-based WebAuthn requests — JS was sending the cookie nonce as the header value instead of the HMAC. Fixed by reading the server-rendered header token from the DOM. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1.3 KiB
1.3 KiB