Hello Florian, "pelzflorian (Florian Pelz)" <pelzflor...@pelzflorian.de> writes:
> On 03/12/2017 03:49 PM, Mathieu Lirzin wrote: >> Sensitive requests should be done with an >> authentification mechanism which is not determined yet. I currently >> have no experience with any and lack the knowledge to properly choose >> one. > > I’m new to Guix and Scheme and no expert in Web programming, but in > order to prevent CSRF and in order not to rely on JavaScript, the server > should run with HTTPS (of course) and > · use a secret session token and > · send a customized Web page to the client adapted so that each link and > form to the server includes the session token as a GET or POST parameter. > > An alternative is Basic Access Authentication with HTTPS or Cookies with > HTTPS but they are vulnerable to CSRF. > > See stackoverflow, for example > > https://stackoverflow.com/questions/21357182/csrf-token-necessary-when-using-stateless-sessionless-authentication Thanks for your input. Have you any experience/advice regarding OAuth or Json Web Token (JWT) ? -- Mathieu Lirzin GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37
