On Sun, Apr 14, 2013 at 4:59 AM, Tom Christie <christie....@gmail.com>wrote:
> One minor correction worth pointing out... > > "The first defense against CSRF attacks is to ensure that GET requests are >>> side-effect free." What's meant by "side effect free"? >> >> > > It means that the request must be idempotent - that if you make the same >> request on the server multiple times, that you get the same result each >> time. > > > That should read: "It means that the request must be > `safe<http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1>` > - that if you make a request it does not modify, create or delete data on > the server". > > If the request is > idempoten<http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2>t or > not isn't relevant. In particular PUT and DELETE requests should be > idempotent, but they are not safe, and do require CSRF protection. > Gah - you are, of course completely correct. My apologies to the OP for confusing the two. Yours, Russ Magee %-) -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
