Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Re^3: Mojolicious vs Dancer (security-wise)?

by davido (Archbishop)
on Sep 22, 2012 at 05:19 UTC ( #995042=note: print w/replies, xml ) Need Help??

in reply to Re^2: Mojolicious vs Dancer (security-wise)?
in thread Mojolicious vs Dancer (security-wise)?

You're correct.

Maybe either Mojolicious::Plugin::CSRFProtect or Mojolicious::Plugin::CSRFDefender would be reasonable steps in the right direction. The former looks to be more thorough, while the latter looks a little more foolproof.

Mojolicious::Plugin::CSRFProtect adds a hidden input field to forms, adds a token to ajax requests, rejects all non-GET/HEAD requests without the token, and simplifies the safeguarding of GET/HEAD requests and side-effect links.

This seems to provide the mechanism needed to implement one of the prevention measures mentioned in the Wikipedia article to which you linked: "Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions."

I'm using Mojolicious::Plugin::CSRFProtect in a project. It's convenient. All I have to do is make sure my routes for forms only respond to POST requests, and that my forms use the "form_for" helper. pretty slick.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://995042]
Discipulus desease the question..
[shmem]: Discipulus: war/peace is a question of fuel gauge position...
[Discipulus]: yes i saw your cell brother..
[Discipulus]: but now fuel is cheap and they still make some war.
[Discipulus]: capitalism is able to go to war by cycle, even.
[shmem]: some? are you jokin' ?

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (8)
As of 2017-04-29 22:00 GMT
Find Nodes?
    Voting Booth?
    I'm a fool:

    Results (534 votes). Check out past polls.