https://issues.apache.org/bugzilla/show_bug.cgi?id=55276
--- Comment #4 from Morten Jorgensen <[email protected]> --- > I think we would want some kind of nonce/CRSF token > (I think the balancer manager has this?) The balancer-api handler is intended for access by an application over the REST protocol. However, there is nothing preventing a user's browser from hitting the balancer-api handler from within their secure network (where they are allowed access the URL for the balancer-api handler). But, updates to the load balancer, such as adding a worker or disabling a worker can only be done using HTTP PUT and HTTP DELETE. I am not sure if these HTTP verbs can be forged through a URL embedded in a 3rd party website - but I seriously doubt that. With this in mind, can you please review if the nonce/CRSF token is required? I don't really know how this would be implemented for a REST API that is accessed by an external application. Would you require two service calls; one to get the nonce, and a subsequent call to submit your PUT/DELETE request with the nonce embedded in the URL or body? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
