I'm not a security expert, but you'll generally want to use XSRF for POSTs.
And depending on what client side you're using, you'll need to make sure the the client/server are in sync. I use AngularJS on the front end and it expects XSRF-TOKEN to be the name of the cookie (I believe beaker uses CSRF-TOKEN by default). I could have easily configured Angular to expect the name CSRF-TOKEN, but instead I configured beaker to send the cookie named XSRF-TOKEN. Long story short make sure the client and server are expecting and using the same names of XSRF cookies. On Wed, Dec 10, 2014 at 5:16 AM, Mehdi <[email protected]> wrote: > I did, but that didn't answer my questions. > > On Wednesday, December 10, 2014 12:42:29 AM UTC+3:30, Steve Piercy wrote: >> >> Did you search the docs? >> http://docs.pylonsproject.org/projects/pyramid/en/latest/ >> narr/sessions.html?highlight=csrf#preventing-cross-site- >> request-forgery-attacks >> >> --steve >> >> >> On 12/9/14 at 12:50 PM, [email protected] (Mehdi) pronounced: >> >> >Hi >> >I have my pyramid app with beaker session enabled. now i want >> >to make my app more secure against csrf attacks, but i don't >> >get it right: >> >1- Should i set check_csrf=True in all my view_configs? if yes >> >then how could i get the csrf token in the first place? >> >2- If no then in this exact view how should i return the token? >> >via template meta tag or hidden input element or cookie? are >> >all of them safe? >> >If a malicious website send a request to this view(without >> >check_csrf) what will be the response? i know the cookie won't >> >be set for the malicious website but if token was in returned >> >html i.e. in hidden input element, attacker would able to parse >> >the html to find it, right? >> >I guess i'm pretty confused about how csrf works! >> >> ------------------------ >> Steve Piercy, Soquel, CA >> >> -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/pylons-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
