:) Thanks again, was also looking at alternate api authentication
methods so I'll have a look at what you've suggested thanks!
At the moment it looks like it'd be WAY too much work to try
separating out all this stuff and I'll never get approval to do it, I
agree with having separate namespaces though, it would make things a
lot cleaner but it is the way it is at the moment I'm afraid,
everything currently shares controller methods and respond_to blocks.
I've just added this to my application controller and it seems to be
working ok for what I need now though.
before_filter(:except => [:index, :show]) do |controller|
protect_from_forgery unless controller.request.format.xml?
end
We had a security profile of the site done recently and it scored
really well except for this CSRF vulnerability (apparently).. CSRF
attacks are so incredibly rare but this web security company still
made it sound like the sky was falling.. so hopefully this fix will
allow my managers to sleep at night now ;)
Thanks again for your input guys
Lucas
--
You received this message because you are subscribed to the Google Groups "Ruby
or Rails Oceania" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rails-oceania?hl=en.
