Hi,
What are your best practices against Cross-Site Request Forgery?
According to owasp.org a CSRFToken should be generated and added as a
hidden form value.
Does Apache Httpd support this out-of-the-box (incl. validation of the
token for each subsequent request until the session expires)?
On February 20, 2012 5:50 , Henrik Strand henrik.str...@axis.com wrote:
What are your best practices against Cross-Site Request Forgery?
Use of a CSRF token as described on the OWASP page you lined in your
original message.
Does Apache Httpd support this out-of-the-box (incl. validation
On Mon, Feb 20, 2012 at 2:26 PM, Mark Montague m...@catseye.org wrote:
On the other hand, I could see providing CSRF protection at the web server
level as being useful, since you then would not need to trust each web
application author to both completely impelment CSRF protection and to
Does anyone know of ANY web server that
provides
CSRF protection at the web server level? I'm curious.
Take a look at mod_security that provides CSRF prevention mechanism by means of
JS injection.
smime.p7s
Description: S/MIME cryptographic signature
