Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^3: Mojolicious vs Dancer (security-wise)?

by davido (Archbishop)
on Sep 22, 2012 at 05:19 UTC ( #995042=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Mojolicious vs Dancer (security-wise)?
in thread Mojolicious vs Dancer (security-wise)?

You're correct.

Maybe either Mojolicious::Plugin::CSRFProtect or Mojolicious::Plugin::CSRFDefender would be reasonable steps in the right direction. The former looks to be more thorough, while the latter looks a little more foolproof.

Mojolicious::Plugin::CSRFProtect adds a hidden input field to forms, adds a token to ajax requests, rejects all non-GET/HEAD requests without the token, and simplifies the safeguarding of GET/HEAD requests and side-effect links.

This seems to provide the mechanism needed to implement one of the prevention measures mentioned in the Wikipedia article to which you linked: "Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions."

I'm using Mojolicious::Plugin::CSRFProtect in a project. It's convenient. All I have to do is make sure my routes for forms only respond to POST requests, and that my forms use the "form_for" helper. pretty slick.


Dave


Comment on Re^3: Mojolicious vs Dancer (security-wise)?
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://995042]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (14)
As of 2015-07-06 18:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (80 votes), past polls