httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henrik Strand <henrik.str...@axis.com>
Subject [users@httpd] Cross-Site Request Forgery
Date Mon, 20 Feb 2012 10:50:31 GMT
Hi,

What are your best practices against Cross-Site Request Forgery?

According to owasp.org a CSRFToken should be generated and added as a
hidden form value. 

Does Apache Httpd support this out-of-the-box (incl. validation of the
token for each subsequent request until the session expires)? 

Best Regards,
Henrik


https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message