Hello, Is there any best practise for protecting against cross site request forgery in Stripes?
I'm building a site with very strict security requirements that require me to protect against CSRF attacks among other things. I've done a preliminary implementation based on an "expected token" that is required as a parameter in every page. There is a servlet filter that checks that the token parameter in the request matches the one in the session and generates a new one to the session. I've extended the link and form tags to include this parameter. Rather easy to implement, should protect rather well, as the attacker has to guess the expected token which is not very likely since the token is a random long, but cumbersome as every request must have the token as parameter. I'd rather find a more elegant solution to this problem. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
