I believe the current implementation of Server Connect is vulnerable to CSRF
Example of affected usage, logout button:
Because there's no CSRF token validation on GET requests, a user could be logged out by just visiting another website with something like:
<img src="https://example.com/api/logout">
The way to make this safe is to make it a POST form with a CSRF token, or a GET request with a CSRF token. Maybe add a checkbox on Wappler UI to add a CSRF token somehow? Ideally served server-side
Thoughts?
Edit: Server Connect Forms (POST) also lack a CSRF token. In order to not break existing applications that may use the API outside of a website context, the CSRF token should be optional but encouraged for new projects