On Tue, Jun 20, 2017 at 11:38 AM, Jonathan Vanasco <[email protected]> wrote: > I'm just paranoid about security related concepts like this and expect > unit/integrated tests to miss a bunch of edge ccases, so want to make sure I > migrate everything and regex the source code & site-packages for anything > that touches it.
Do you think CSRF tokens are that important? In some cases you really don't want people submitting anything without going through the form, but in other cases it doesn't really matter, and in other cases you *want* them to be able to submit inter-application search requests from their own programs. I've talked with some people about this and what I've heard is that if you have HTTPS then that takes care of some of the things CSRF tokens were invented for. We just did an evaluation of one application and decided that the only form that needs CSRF tokens is the login form. -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DuqBWtnDFCLrDjpvs-YqGVhuugV5v9F%2BrKMTh2%2B4H29x_A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
