问题
I'm looking at possible solutions to protect my GWT app against XSRF.
If I understand GWT's solution correctly - it makes available a Servlet which you use to both generate the token on the client-side (when calling your RPC endpoint) and to validate on the server-side (when the call hits your service).
Does this solution only cater for RPC calls? Surely we need it to cover all user generated requests to the server?
Any other recommended XSRF solutions (I'm also looking at OWASP's CSRFGuard)?
回答1:
I modified the GWT Sample App to be protected against XSRF. This solution is roughly based of the solution provided in the GWT developer docs. http://code.google.com/p/xsrf-safe/
来源:https://stackoverflow.com/questions/6258547/gwt-xsrf-protection