|
|
|
|
|
|
by kevincox
661 days ago
|
|
|
Yeah, I had a section on this but decided to cut it because I felt the other protections mostly obsoleted the need to talk about this. > pretty much everything requires a non-simple request in order to invoke an action Except for POST request such as in forms. They may be a little out of fashion with JS-based frontends and JSON APIs but I would consider it a pretty gaping hole. If the list could be reduced to just HEAD and GET requests I would consider it a pretty complete protection. But POST seems like too big of a hole. (Although if you can block all requests that are POST with a "simple" Content-Type then you unlock a pretty robust protection.) |
|
|