I've always found the CSRF token to be a really bad fit for API based interaction. It requires that you do a get before any post or put to get a fresh token. I have found it easier to secure your APIs using basic auth and pass your credentials on every request.
Cheers, Adam On 05/01/2012, at 11:57 AM, 2potatocakes wrote: > > Thanks Pat, > > Every request within the site has to be done by an authenticated user > anyways so the sites partially secure as is. But CSRF attacks work by > actually using the users logged in session details, so normal > authentication doesn't protect it. > > What I'm thinking is that it would at least be a bit safer if I could > somehow leave the CSRF protection on for all non XML requests.. This > would still leave the method open to attack but would at least reduce > the probability of it happening.. am looking into this now. > > Kind Regards, > > Lucas > > -- > You received this message because you are subscribed to the Google Groups > "Ruby or Rails Oceania" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rails-oceania?hl=en. > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.
