httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: [PATCH] prevent CSRF in mod_proxy_balancer
Date Tue, 11 Mar 2008 17:46:56 GMT

On Mar 11, 2008, at 10:23 AM, Joe Orton wrote:

> It occurred to me recently that it is relatively simple to prevent
> "CSRF" attacks against the balancer-handler (see CVE-2007-6420), by
> generating a "secret" nonce at startup and requiring the presence of
> that secret in the submitted parameters.
>
> Any objections?
>

It's not "secret" of course, but I agree that this is
a VERY easy and elegant way to add some protection.

+1!


Mime
View raw message