问题
I am developing an Android application that communicates with a rails server. I don't want to ignore the authenticity_token but I also don't think asking for it is the right answer. What can be done to protect my POST requests?
回答1:
It's uncommon to require authenticity tokens when you use an API, as you would for an Android application; this is because authenticity tokens are generated to protect against cross-site request forgery attacks, which are only possible with a session... and usually if you're accessing an API you don't (or can't) use a session. So I wouldn't be too concerned about generating authenticity tokens here.
To protect your POSTs -- or indeed any request -- there are a number of options available to you. Simplest would be to authenticate each request with HTTP basic, and more complicated but arguably more secure would be to implement OAuth. Either way would provide some security for people using your app and connecting to your website.
来源:https://stackoverflow.com/questions/10336928/authenticity-token-in-rails-android