We got the result of the Qualys Security Scan and the report claims there are many missing CSRF tokens around the site.
I am confused because Moodle uses sesskey for this purpose.
As we looked after, it might be the problem that during incorrect sesskey the site might use response (HTTP 200) instead of (HTTP 400).
Is it correct?
If it is correct, is there any way to use response (400) in terms of incorrect sesskey?
Or does it makes even sense to dealing with this?
What's your experience? I suppose I am not alone with this.
We are using Totara Moodle 2.6 however we will replace it with Moodle 3.4.
Many thanks in advance