[Owasp-csrfprotector] protection for GET requests

Minhaz A V minhazav at gmail.com
Sat May 31 18:36:29 UTC 2014


since CSRF attacks are basically meant for, logged in users, so the
developer will include the library and initiate it only for those pages. So
I don't think we need to keep another list for POST?


Minhaz,
minhaz.cistoner.org || cistoner.org


On Fri, May 30, 2014 at 11:42 AM, Jim Manico <jim.manico at owasp.org> wrote:

>  Also not all POST need CSRF protection:  a public comment form, a public
> registration form, or login do not need tokens.
>
>
> Aloha,
> Jim
>
> On 5/29/14, 6:55 PM, Minhaz A V wrote:
>
>  I could not think of a good configuration name for this field, where
> user maintain url/regex of those pages for which CSRF validation (GET) is
> supposed to be done. Available at: https://github.com/mebjas/CSRF-Protector-PHP/blob/GET-support/libs/config.php#L17
>
>
>  suggest me one, *verifyGetFor *doesn't look good as a parameter name :O
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfprotector/attachments/20140601/dd3632e5/attachment.html>


More information about the Owasp-csrfprotector mailing list