Форумы / Cotonti / Core Labs / Ideas / General CRSF protection for AJAX GET requests

idea to always include crsf token in GETS

ez
#35180 22.08.2012 08:14

I know that strictly speaking only POST should be used for changing data.. However I use GET's regular to alter data in the DB (flags and things like that).


In general : Any request that can change data on the server which can be either GET or POST should have the XSS protection. Developers should be aware of this.


So everybody who uses GETs to alter data should add a protection.

 

nice article for the interested people: http://teamtreehouse.com/blog/the-definitive-guide-to-get-vs-post

==- I say: Keep it EZ -==
Отредактировано: ez (22.08.2012 08:28, 11 лет назад)