Hi, What are your best practices against Cross-Site Request Forgery?
According to owasp.org a CSRFToken should be generated and added as a hidden form value. Does Apache Httpd support this out-of-the-box (incl. validation of the token for each subsequent request until the session expires)? Best Regards, Henrik https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [email protected] " from the digest: [email protected] For additional commands, e-mail: [email protected]
