I did, but that didn't answer my questions. On Wednesday, December 10, 2014 12:42:29 AM UTC+3:30, Steve Piercy wrote: > > Did you search the docs? > > http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/sessions.html?highlight=csrf#preventing-cross-site-request-forgery-attacks > > > --steve > > > On 12/9/14 at 12:50 PM, [email protected] <javascript:> (Mehdi) > pronounced: > > >Hi > >I have my pyramid app with beaker session enabled. now i want > >to make my app more secure against csrf attacks, but i don't > >get it right: > >1- Should i set check_csrf=True in all my view_configs? if yes > >then how could i get the csrf token in the first place? > >2- If no then in this exact view how should i return the token? > >via template meta tag or hidden input element or cookie? are > >all of them safe? > >If a malicious website send a request to this view(without > >check_csrf) what will be the response? i know the cookie won't > >be set for the malicious website but if token was in returned > >html i.e. in hidden input element, attacker would able to parse > >the html to find it, right? > >I guess i'm pretty confused about how csrf works! > > ------------------------ > Steve Piercy, Soquel, CA > >
-- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
