To deal with CSRF, I think we could use Cake's Security component - the requirePost function.
On Jul 16, 2:52 am, keymaster <[EMAIL PROTECTED]> wrote: > Would be nice to get a quick cheatsheet together with two columns: > > column A: Security Risk > column B: Best Practise (using cake). > > I'll offer a tentative start (humbly, but realistically, admitting I > am not expert enough to rely on). > > Security risks (column A): > > 1. SQL injection > 2. XSS > 3. CSRF (cross site request forgery) > 4. Session hijacking > 5. Session Fixation > 6. Brute Force password cracking > 7. Spoofed HTTP requests > > Best practices using cake (column B): > > 1. cake does this, we don't need to do anything as long as we use > cake's model functions. > 2. needs to be filtered using cake's security component routines. > 3. ?? - don't know enough about. > 4. & 5: use cake security HIGH, so session id's will be changed every > request, and store sessions in the DB so client side cookies cannot be > manipulated. > 6. Cake does not natively support this I don't think, so would need an > add-on algorithm to detect and deal with it. I believe there is > something in the bakery for this. > 7. ?? - not sure. > > All are welcome to contribute to either the security risks (column A), > or the best practise approaches (php and/or cake) for dealing with > them (column B). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
