General CRSF protection for AJAX GET requests

idea to always include crsf token in GETS

Tags: Ajax
Crsf
Get Request
Security

GHengeveld	#35179 2012-08-22 07:15
Team Thanked: 52 times	CSRF protection is only necessary for POST requests, not for GET. This however does rely on GET requests to be idempotent. CSRF attacks are only effective when the script actually does something. If you implement your extension correctly, any action that changes something on the server (usually a db record) is performed using a POST request, never a GET. If you still want to check every GET request for x, use cot_check_xg(). You can achieve this using a plugin that hooks into common.php.

GHengeveld

#35179 2012-08-22 07:15

CSRF protection is only necessary for POST requests, not for GET. This however does rely on GET requests to be idempotent. CSRF attacks are only effective when the script actually does something. If you implement your extension correctly, any action that changes something on the server (usually a db record) is performed using a POST request, never a GET.

If you still want to check every GET request for x, use cot_check_xg(). You can achieve this using a plugin that hooks into common.php.