On Wednesday, June 21, 2017 at 12:28:33 AM UTC-4, Mike Orr wrote: > > > Do you think CSRF tokens are that important? In some cases you really > don't want people submitting anything without going through the form, > but in other cases it doesn't really matter, and in other cases you > *want* them to be able to submit inter-application search requests > from their own programs. I've talked with some people about this and > what I've heard is that if you have HTTPS then that takes care of some > of the things CSRF tokens were invented for. We just did an evaluation > of one application and decided that the only form that needs CSRF > tokens is the login form. >
HTTPS doesn't prevent CSRF -- you can still exploit HTTPS endpoints with CSRF attacks. HTTPS secures communication between the browser and the server, but a CSRF attack happens within the browser. I typically spec out applications like this: * Everything in `/account` is via HTTPS with a secondary HTTPS-only session (that has a different timeout the default session), and login-status requires a recent user/pass entry (no autologin). All forms implement CSRF. * Everything not in `/account` can be https or not (though https is preferred). CSRF is usually irrelevant for these actions. This does a lot to safeguard against sensitive/personally identifiable data being accessed or manipulated by malicious 3rd parties. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/1e6daf9e-5185-4dd2-a7f4-190b4a24df4b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.