On Tue, Jan 13, 2009 at 3:20 PM, phil <[email protected]> wrote: > > Sorry... what? Your answer is somewhat cryptic... > > Are you recommending http basic? > > On Jan 13, 1:16 pm, Frederick Cheung <[email protected]> > wrote: > > On 13 Jan 2009, at 11:08, phil wrote: > > > > > isn't that a security hole? > > > Is there a way around this with some sort of authentication on the > > > method? (http basic for instance)? > > > Could I do what you suggest but then also code the method to use that? > > > > You're not going to want to have crsf tokens and what not for an api. > > It doesn't make any sense. Use http basic, restrict it to requests > > from the internal network, use api tokens etc... etc... > > The world is your oyster. > > > > Fred > > > > request forgery protection is to protect against things like cross-site scripting. For an API, you should probably be protecting requests via an authentication method which could include http basic authentication, you could also use an API token where a unique (to the user of the API) token is sent with every request.
-- Andrew Timberlake http://ramblingsonrails.com http://www.linkedin.com/in/andrewtimberlake "I have never let my schooling interfere with my education" - Mark Twain --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
