Hide form fields when there is a potential hazard

Suppose you are displaying database access names/passwords in one of your forms. How to protect yourself from CSRF?

It is sufficient to set the parameter secured=yes in the description of the fields where security sensitive data is specified. For example:

<metadata name="dbconnection" type="form">
  <form>
    <field name="url">
      <input type="text" name="url"/>
    </field>
    <field name="username">
      <input type="text" name="username" secured="yes"/>
    </field>
    <field name="password">
      <input type="text" name="password" secured="yes"/>
    </field>
  </form>
</metadata>

Thus, if a user of the panel accidentally gets to a malicious site from which a CSRF attack will be conducted (i.e. they will try to use a GET-request to get the form data), the panel will determine that the referrer where the request came from does not match its referrer, and the username and password fields will be hidden.

Developer Guide

Hide form fields when there is a potential hazard