Hi, Is there best practice to avoid CSRF attacks on TG2 servers? The options that spring to mind are: - side-effecty calls must be POST form submissions (and check the HTTP method in the server method) - add an unguessable token to side-effecty GET requests
For the latter, I'm guessing some unique ID from the session would be best - any tips on what to use specifically? Any further suggestions on ways to prevent CSRF? Thanks, James -- You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/turbogears?hl=en.
