When signing up for this site, I ran into an issue: Upon attempting to verify my email address, after clicking the verify button, I just got a plaintext ["BAD CSRF"]. I looked up the error message and found here that it can happen when HTTPS is misconfigured. This clued me in to notice that I had http rather than https in the address bar - fixing that on my end allowed me to complete the email verification process.
Most browsers today will automatically redirect HTTP to HTTPS. For some of the software development that I do, the aggressiveness of this auto-redirect can be inconvenient, so I’ve disabled it in my browser. This is surely why I experienced this issue while others haven’t, but it is arguably a problem, or two problems:
- The email that is sent automatically to new sign-ups contains an HTTP link instead of an HTTPS link
- The website requires HTTPS to function, but instead of implementing a server-side redirect, it assumes that the user’s browser will redirect of its own accord