potiuk commented on PR #39138: URL: https://github.com/apache/airflow/pull/39138#issuecomment-2071839590
> I feel this should be POST since the action feels more like a write than read. But it’s a bit grey I guess. Yes we should change it to POST. From security point of view any requests that change state of the DB should be POST/PUT/DELETE - rather than GET, For the API requests that require `Content-Type: application/json` - that will prevent a CSRF attack, where malicious user could send a GET Request using the session from a user who is already logged in another tab - because it is not possible to post a HTML form with "application/json" content type. Our APIs are CSRF-exempt so as opposed to POST requests, malicious user can send arbitrary GET requests using session of the logged in user in another TAB (but it cannot retrieve the result of such get requests), so GET requests should not be used to change the DB state. In this case there is a file token that gives additional protection, but changing it to POST is the best way to protect from malicious user. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
