We should get a host name of api.modules.ceylon-lang.org and make sure that the Play session cookie is only set for the exact host name modules.ceylon-lang.org as opposed to all subdomains as it is now: .modules.ceylon-lang.org.
Then we request Basic auth for every authenticated call to api.modules.ceylon-lang.org, and we disallow API access from modules.ceylon-lang.org without CRSF form parameter checks.
FroMage
commented
8 years ago
We should get a host name of
api.modules.ceylon-lang.organd make sure that the Play session cookie is only set for the exact host namemodules.ceylon-lang.orgas opposed to all subdomains as it is now:.modules.ceylon-lang.org.Then we request Basic auth for every authenticated call to
api.modules.ceylon-lang.org, and we disallow API access frommodules.ceylon-lang.orgwithout CRSF form parameter checks.