fwiw I ran into this the other night as well, wasted a bunch of time on the googles and just ended up turning off csrf for the api and doing token auth for the api
On Thu, Jan 5, 2012 at 11:03 AM, Pat Allan <[email protected]> wrote: > > Hi Lucas > > My approach has always been to turn of CSRF for API routes - if you don't > want people being able to POST/PUT/DELETE, then authentication would be a > good idea. Why does turning CSRF off for these routes not sound right to > you? > > -- > Pat > > On 05/01/2012, at 8:57 AM, 2potatocakes wrote: > > > Hi guys, > > > > I haven't actually looked around properly yet (am doing it now..) but > > thought I'd flick this question over here first anyways and see what > > you all thought? > > > > I'm upgrading an old behemoth of an application to 2.3.14 at the mo > > and needed to add in CSRF protection for the entire site. Thing thing > > is, the majority of the site is web based but about 40% of it also > > acts as an API returning XML. I've updated my non get/post requests to > > use the token and the site is working fine via the web but if I try > > and access it via the existing API, my session data is now destroyed > > as the API request does not include the token.. > > > > Anyone got any ideas on the best way to approach this? So far I've > > only read people saying to turn it off for the particular methods you > > want to expose.. which doesn't sound right to me.. > > > > Cheers if you can help. > > > > Kind Regards, > > > > Lucas > > > > -- > > You received this message because you are subscribed to the Google > Groups "Ruby or Rails Oceania" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > [email protected]. > > For more options, visit this group at > http://groups.google.com/group/rails-oceania?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby or Rails Oceania" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rails-oceania?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.
