[Owasp-csrfprotector] protection for GET requests
Minhaz A V
minhazav at gmail.com
Sat May 31 18:36:29 UTC 2014
since CSRF attacks are basically meant for, logged in users, so the
developer will include the library and initiate it only for those pages. So
I don't think we need to keep another list for POST?
minhaz.cistoner.org || cistoner.org
On Fri, May 30, 2014 at 11:42 AM, Jim Manico <jim.manico at owasp.org> wrote:
> Also not all POST need CSRF protection: a public comment form, a public
> registration form, or login do not need tokens.
> On 5/29/14, 6:55 PM, Minhaz A V wrote:
> I could not think of a good configuration name for this field, where
> user maintain url/regex of those pages for which CSRF validation (GET) is
> supposed to be done. Available at: https://github.com/mebjas/CSRF-Protector-PHP/blob/GET-support/libs/config.php#L17
> suggest me one, *verifyGetFor *doesn't look good as a parameter name :O
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-csrfprotector