RESTful应用程序中的XSRF
[英]XSRF in a RESTful Application
问题描述
I am a ASP.NET Developer trying to learn Rails and RESTful approach. 
我是一名ASP.NET开发人员,正在尝试学习Rails和RESTful方法。 To understand, I am planning to write a Email client, which would make RESTful GET call to the server to fetch the emails and POST to send an email. 为了理解,我打算编写一个电子邮件客户端,它将对服务器进行RESTful GET调用以获取电子邮件,并发送POST以发送电子邮件。
What are the best practices (both generic and/or specific to Rails) to be followed so that, the above application is not exposing any XSRF vulnerabilities. 要遵循哪些最佳实践(通用和/或特定于Rails),以便上述应用程序不会暴露任何XSRF漏洞。
1 个解决方案
解决方案1
3 已采纳 2008-10-31 15:54:27
The Ruby on Rails Security Project has a good post on this. Ruby on Rails安全项目有一个很好的帖子。
Essentially, Rails 2.0 and above have built-in protection for XSRF attacks. 从本质上讲,Rails 2.0及更高版本具有针对XSRF攻击的内置保护。 Every form created via the form helpers includes a hidden field with a special token in it. 通过表单助手创建的每个表单都包含一个隐藏字段,其中包含一个特殊标记。 Each time a POST (or non-GET) is received, the token is checked against a secret on the server. 每次收到POST(或非GET)时,都会根据服务器上的密码检查令牌。 If they don't match, a security exception is thrown and the request is ignored. 如果它们不匹配,则抛出安全性异常并忽略该请求。
Read the article. 阅读文章。 They do a better job explaining it. 他们在解释它方面做得更好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.