Fixing CSRF is pretty formulaic. You can probably do it across your whole codeba... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		dfranke on Aug 23, 2009 \| parent \| context \| favorite \| on: XSS is not a feature Fixing CSRF is pretty formulaic. You can probably do it across your whole codebase using nothing but sed. Stick a copy of your session cookie as a hidden field in every HTML form, and validate it as the first step of every form processing routine. The only time you need to introduce anything more thoughtful is if in some cases cross-site requests really are a feature, e.g. API calls.

laktek on Aug 23, 2009 [–]

Rails has built-in Request Forgery Protection. Seems Basecamp runs on a legacy version of Rails, which don't harness these features..

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact