Hi folks. I've got a slightly crazy/infuriating bug with a site and CSRF. We're running Django 1.2.3, Python 2.6 on Ubuntu with Apache2 + mod_wsgi and have been getting end users reporting 403 CRSF verification failures and 403s as a result. All our forms have a csrf_token and - as far as I am aware - things work fine in local dev and...
hi, I use Rails request_forgery_protection mechanism to protect my POST actions from CSRF attacks and captcha to protect the GET actions. This way if someone stages a two-phase attack within one session, GET-ting the form with the current token and then POST-ing a forged request with that token, he will eventually be faced with a captch...
I'm considering what base URL to use for a REST web service. I have the option of using one of the following formats: https://domain.com/api https://api.domain.com I'd like to make it both easy to use from client-side javascript apps and secure against forged request attacks. Is there a best practice to follow here? ...