On Mar 11, 2008, at 10:23 AM, Joe Orton wrote:
It occurred to me recently that it is relatively simple to prevent "CSRF" attacks against the balancer-handler (see CVE-2007-6420), by generating a "secret" nonce at startup and requiring the presence of that secret in the submitted parameters. Any objections?
It's not "secret" of course, but I agree that this is a VERY easy and elegant way to add some protection. +1!
