Gary, thanks a lot. On Tuesday, December 16, 2014 12:53:23 PM UTC+1, Gary Verhaegen wrote: > I've done a little bit of research on that after getting bitten by it too. My > understanding is that: > > > * CSRF basically protects against replay attacks. You need it if your users > can alter the state of your application in a bad way. It's always a tradeoff, > of course, but if you choose not to use it I would urge you to carefully read > at least the wikipedia page on the subject so you can make an informed > decision. (In my case I decided that, given the nature of the project, this > was not worth worrying about *for now* and so shut it off.) > * While it's relatively easy to do with hidden fields in forms, AJAX is more > difficult. Apparently the best practice is to put the token inside the > headers of the server responses. It might still be necessary to put one on > the page somewhere (data-* field, maybe) if the first AJAX call is not a GET > request.
-- Note that posts from new members are moderated - please be patient with your first post. --- You received this message because you are subscribed to the Google Groups "ClojureScript" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojurescript+unsubscr...@googlegroups.com. To post to this group, send email to clojurescript@googlegroups.com. Visit this group at http://groups.google.com/group/clojurescript.
