We do have some Cross-Site Request Forgery support in Play, which includes special fields in every form, but we don't verify them on the server. We should call Controller.checkAuthenticity on every POST action.
I think we would be good if we did that in MyController in a @Before method for every non-GET|HEAD|OPTIONS method. We need to check that we don't have controllers that don't extend MyController and to verify that the check works by trying to fake the hidden form value or remove it.
FroMage
commented
10 years ago
We do have some Cross-Site Request Forgery support in Play, which includes special fields in every form, but we don't verify them on the server. We should call
Controller.checkAuthenticityon every POST action.I think we would be good if we did that in
MyControllerin a@Beforemethod for every non-GET|HEAD|OPTIONSmethod. We need to check that we don't have controllers that don't extendMyControllerand to verify that the check works by trying to fake the hidden form value or remove it.