Did you search the docs?
http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/sessions.html?highlight=csrf#preventing-cross-site-request-forgery-attacks
--steve
On 12/9/14 at 12:50 PM, [email protected] (Mehdi) pronounced:
Hi
I have my pyramid app with beaker session enabled. now i want
to make my app more secure against csrf attacks, but i don't
get it right:
1- Should i set check_csrf=True in all my view_configs? if yes
then how could i get the csrf token in the first place?
2- If no then in this exact view how should i return the token?
via template meta tag or hidden input element or cookie? are
all of them safe?
If a malicious website send a request to this view(without
check_csrf) what will be the response? i know the cookie won't
be set for the malicious website but if token was in returned
html i.e. in hidden input element, attacker would able to parse
the html to find it, right?
I guess i'm pretty confused about how csrf works!
------------------------
Steve Piercy, Soquel, CA
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.
