RESTful应用程序中的XSRF [英] XSRF in a RESTful Application
问题描述
我是一名ASP.NET开发人员,试图学习Rails和RESTful方法。为了理解,我计划编写一个电子邮件客户端,该客户端将对服务器进行RESTful GET调用以获取电子邮件,并通过POST发送电子邮件。
I am a ASP.NET Developer trying to learn Rails and RESTful approach. To understand, I am planning to write a Email client, which would make RESTful GET call to the server to fetch the emails and POST to send an email.
最佳实践(通用的和/或特定于Rails的),以便上面的应用程序不会暴露任何XSRF漏洞。
What are the best practices (both generic and/or specific to Rails) to be followed so that, the above application is not exposing any XSRF vulnerabilities.
推荐答案
The Ruby on Rails Security Project has a good post on this.
基本上,Rails 2.0及更高版本具有针对XSRF攻击的内置保护。通过表单助手创建的每个表单都包含一个带有特殊标记的隐藏字段。每次接收到POST(或非GET)时,都会根据服务器上的机密检查令牌。如果它们不匹配,则会引发安全异常并忽略该请求。
Essentially, Rails 2.0 and above have built-in protection for XSRF attacks. Every form created via the form helpers includes a hidden field with a special token in it. Each time a POST (or non-GET) is received, the token is checked against a secret on the server. If they don't match, a security exception is thrown and the request is ignored.
阅读本文。他们在解释方面做得更好。
Read the article. They do a better job explaining it.
这篇关于RESTful应用程序中的XSRF的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
