vendredi 21 mai 2021

Should a CSRF check be done on all post requests?

As far as I understand it a CSRF check should be done on any requests that change the state.

If this is the case shouldn't all POST requests have a CSRF check?

If this isn't the case what exceptions are there?

The origin of this question is from a tutorial on Managing Session Cookies with Firebase, they use CSRF checks for the initial login step but not for a post request later

https://firebase.google.com/docs/auth/admin/manage-cookies#node.js_2




Aucun commentaire:

Enregistrer un commentaire