*Put all destructive actions behind a POST requests*
I'd even extend this and say: *Make sure that nothing (besides logs) can
be changed in your application using GET*. Otherwise you'll not only
violate the HTTP specifications, but also open your page to CSRF attacks
; ).
-- Felix Geisendörfer aka the_undefined
--------------------------
http://www.thinkingphp.org
http://www.fg-webdesign.de
Klaus Hartl wrote:
Brian Litzinger schrieb:
So I'm reading John's new book "Pro JavaScript Techniques" and came across
page 130 in the book about Google's Accelerator deleting a bunch of content
on people's sites because they used normal links for editing and deleting
content. Does this apply to links that use Ajax to delete something, or a
link like href="url.php?delete=1"?
I feel kind of stupid asking this :D
Yes:
*Put all destructive actions behind a POST requests*
-- Klaus
_______________________________________________
jQuery mailing list
[email protected]
http://jquery.com/discuss/
_______________________________________________
jQuery mailing list
[email protected]
http://jquery.com/discuss/
