One minor correction worth pointing out... "The first defense against CSRF attacks is to ensure that GET requests are >> side-effect free." What's meant by "side effect free"? > >
It means that the request must be idempotent - that if you make the same > request on the server multiple times, that you get the same result each > time. That should read: "It means that the request must be `safe<http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1>` - that if you make a request it does not modify, create or delete data on the server". If the request is idempoten<http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2>t or not isn't relevant. In particular PUT and DELETE requests should be idempotent, but they are not safe, and do require CSRF protection. Cheers, Tom On Saturday, 13 April 2013 02:07:47 UTC+1, testbac...@gmail.com wrote: > > Russ, > > This is a really great explanation of CSRF vulnerabilities, and I think I > have a handle on what I need to do now. > > Thanks for taking to time to spell things out for me. >> >> > Best, > > Spork > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
