Hi Lucas My approach has always been to turn of CSRF for API routes - if you don't want people being able to POST/PUT/DELETE, then authentication would be a good idea. Why does turning CSRF off for these routes not sound right to you?
-- Pat On 05/01/2012, at 8:57 AM, 2potatocakes wrote: > Hi guys, > > I haven't actually looked around properly yet (am doing it now..) but > thought I'd flick this question over here first anyways and see what > you all thought? > > I'm upgrading an old behemoth of an application to 2.3.14 at the mo > and needed to add in CSRF protection for the entire site. Thing thing > is, the majority of the site is web based but about 40% of it also > acts as an API returning XML. I've updated my non get/post requests to > use the token and the site is working fine via the web but if I try > and access it via the existing API, my session data is now destroyed > as the API request does not include the token.. > > Anyone got any ideas on the best way to approach this? So far I've > only read people saying to turn it off for the particular methods you > want to expose.. which doesn't sound right to me.. > > Cheers if you can help. > > Kind Regards, > > Lucas > > -- > You received this message because you are subscribed to the Google Groups > "Ruby or Rails Oceania" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rails-oceania?hl=en. > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.
