As far as I understand it a CSRF check should be done on any requests that change the state.
If this is the case shouldn't all POST requests have a CSRF check?
If this isn't the case what exceptions are there?
The origin of this question is from a tutorial on Managing Session Cookies with Firebase, they use CSRF checks for the initial login step but not for a post request later
https://firebase.google.com/docs/auth/admin/manage-cookies#node.js_2
Aucun commentaire:
Enregistrer un commentaire