You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Dale Newfield <Da...@Newfield.org> on 2007/08/01 00:29:11 UTC
Re: [S2]Architectural answer to CSRF?
Musachy Barroso wrote:
> If there was a way of doing that, wouldn't it defeat the protection?
Probably, but I was hoping someone might suggest a way that it didn't.
> Another thing, does the HDIV plugin have this already?
Not really--it doesn't prevent the request from being made or acted
upon, just might make it harder for an attacker to figure out what
values to pass to get the desired result. HDIV only really seems to
help by masking primary key information in URLs -- and I've been careful
to (just about) never have clients reflect PKs back to me so that I
don't have to trust them.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org