Hi, I need to protect some of my GET requests in the application against CSRF attacks. AFAIKS many (if not all) resources writing about CSRF protection say that this is usually only need to be done for POST requests which will change data or the state of the application. However I feel the need to protect some GET requests because they return sensitive information which must be prevented because of e.g data privacy. I think i need to provide the token within the GET parameters of the request. I am using per request CSRF-Tokens, so the issue of disclosure the tokens in the URL as described on OWASP [0] should be not a big deal.
Now I am thinking about the best way to do this in pyramid. Currently i am thinking about implementing the following simple idea: 1. Write a wrapper method for the various "route" methods in *pyramid.request* which adds the current csrf token to the GET parameters. 2. Check the token by providing the *check_csrf *parameter to the *add_view* methood. Do you think this is a good approach, or what would be your advice? While writing this I am wondering if it would be possible (maybe it is already i did not have tried it) if the route methods can automatically add the current csrf token to the URL in case the related view has set the check_csrf parameter. [0] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL Torsten -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
