|
|
|
|
|
|
by Johngibb
5474 days ago
|
|
|
I believe that he's right that just putting it in a hidden form field would be useless for this sort of attack. However, I believe rails and django actually include the CSRF token in headers for ALL ajax requests, not just form submits. |
|
|