[Owasp-csrfguard] Django and Ruby on Rails Mimic CSRFGuard

Eric Sheridan eric.sheridan at owasp.org
Thu Feb 10 13:39:56 EST 2011


I read an article last night about how Django and Ruby on Rails CSRF
protections for Ajax requests were found broken. Attackers could forge
the headers through a combination of browser plugins and redirects.
Their fix? Implement the CSRF protection token in a custom HTTP header
for all Ajax requests - this is what CSRFGuard already does! I was a
little ornery about the subject last night resulting in an amusing blog


If you know anyone using CSRFGuard or using it as a reference
implementation, please let me know! I'd like to have the main page list
companies/users using the product.

As always, I am in need of testing for the 3.0 release. Drop me a line
if you have feedback!


More information about the Owasp-csrfguard mailing list