问题
I am a ASP.NET Developer trying to learn Rails and RESTful approach. To understand, I am planning to write a Email client, which would make RESTful GET call to the server to fetch the emails and POST to send an email.
What are the best practices (both generic and/or specific to Rails) to be followed so that, the above application is not exposing any XSRF vulnerabilities.
回答1:
The Ruby on Rails Security Project has a good post on this.
Essentially, Rails 2.0 and above have built-in protection for XSRF attacks. Every form created via the form helpers includes a hidden field with a special token in it. Each time a POST (or non-GET) is received, the token is checked against a secret on the server. If they don't match, a security exception is thrown and the request is ignored.
Read the article. They do a better job explaining it.
来源:https://stackoverflow.com/questions/253327/xsrf-in-a-restful-application