发表新帖
发表新帖

Allow Get request but only in my domain?

后端 未结
关注
4 2052
栀梦
栀梦 2021-01-21 23:58

On my site i can trigger certain things using GET request like the ability to hide or delete a comment. I am not very worried but it would be pretty annoying if someone design a

4条回答
  • [愿得一人]
    [愿得一人] (楼主)
    2021-01-22 00:15

    The risk you're discussing is known as a cross-site request forgery attack. The standard way to prevent it is to double-post cookies (once in the cookies, once in the form), or some other unique token that an attacker could not guess via an included image. For more details on detection and prevention, see:

    http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

    0 讨论(0)
 看不清?
提交回复
热议问题