Cross-Site Request Forgery (CSRF)

brunofacca / zen-rails-security-checklist

Checklist of security precautions for Ruby on Rails applications.

MIT License

1.81k stars 150 forks source link

Cross-Site Request Forgery (CSRF) #31

Open danielmyasnikov opened 4 years ago

danielmyasnikov commented 4 years ago

How is Use HTTP verbs in a RESTful way a cross-site request forgery problem?

The second statement in there is correct: Do not use GET requests to alter the state of resources

brunofacca commented 4 years ago

I can't think of a way to perform a CSRF attack with a PUT or DELETE request unless CORS settings are completely unrestricted. I agree that the first part of the sentence is not important. Freel free to submit a PR to improve that item.