We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There seems to be little or no protection for XSRF / CSRF.
The text was updated successfully, but these errors were encountered:
Simple solution:
before do if request.post? if session[:csrf] != params[:csrf] halt 503 end end time = Time.now.to_s @key = Digest::SHA1.hexdigest(time) session[:csrf] = @key end
Then on all form views add:
<input type="hidden" name="csrf" value="<%= @key %>" />
Sorry, something went wrong.
I should have some spare time next weekend. I'll take a look at this if @maxjustus doesn't nail it first.
My "simple solution" can be added to any Sinatra app. I think if we're looking to alter the original, a better solution may be available.
A better solution is to use rack/csrf
require 'rack/csrf' use Rack::Csrf, :raise => true
Then in the views <%= Rack::Csrf.csrf_tag(env) %>
<%= Rack::Csrf.csrf_tag(env) %>
cmhobbs
No branches or pull requests
There seems to be little or no protection for XSRF / CSRF.
The text was updated successfully, but these errors were encountered: