CSRF protection should be considered a dependency of session-based authentication:
If you're using session-based authentication, you should always enable CSRF protection. If you disable CSRF protection, you should also disable session-based authentication. -- Paul On 05/01/2012, at 12:28 PM, Ivan Vanderbyl wrote: > Hi Lucas, > > CSRF protection is not required for API calls because you will likely never > consume it using a browser, and more over never create a session, each API > call should reauthenticate from a token or header etc. before processing > anything. > > Regards, > Ivan Vanderbyl > > Sent from my iPhone > > On 05/01/2012, at 11:57 AM, 2potatocakes <[email protected]> wrote: > >> >> Thanks Pat, >> >> Every request within the site has to be done by an authenticated user >> anyways so the sites partially secure as is. But CSRF attacks work by >> actually using the users logged in session details, so normal >> authentication doesn't protect it. >> >> What I'm thinking is that it would at least be a bit safer if I could >> somehow leave the CSRF protection on for all non XML requests.. This >> would still leave the method open to attack but would at least reduce >> the probability of it happening.. am looking into this now. >> >> Kind Regards, >> >> Lucas >> -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.
