On Wed, Oct 20, 2010 at 04:11:16AM -0700, James wrote: > Hi, > Is there best practice to avoid CSRF attacks on TG2 servers? > > The options that spring to mind are: > - side-effecty calls must be POST form submissions (and check the HTTP > method in the server method) > Oh -- one other note. Restricting to POST doesn't help. You need to have an unguessable token whether the request comes in via GET or POST.
-Toshio
pgpeu69wAh9Jc.pgp
Description: PGP signature
