Hi Lucas, CSRF protection is not required for API calls because you will likely never consume it using a browser, and more over never create a session, each API call should reauthenticate from a token or header etc. before processing anything.
Regards, Ivan Vanderbyl Sent from my iPhone On 05/01/2012, at 11:57 AM, 2potatocakes <[email protected]> wrote: > > Thanks Pat, > > Every request within the site has to be done by an authenticated user > anyways so the sites partially secure as is. But CSRF attacks work by > actually using the users logged in session details, so normal > authentication doesn't protect it. > > What I'm thinking is that it would at least be a bit safer if I could > somehow leave the CSRF protection on for all non XML requests.. This > would still leave the method open to attack but would at least reduce > the probability of it happening.. am looking into this now. > > Kind Regards, > > Lucas > > -- > You received this message because you are subscribed to the Google Groups > "Ruby or Rails Oceania" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rails-oceania?hl=en. > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.
