New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

csrf防御中间件只验证post和put请求，delete和get请求不防御吗 #4

Open

xvrzhao opened this issue Feb 4, 2018 · 1 comment

xvrzhao commented Feb 4, 2018 •

edited

Loading

有如下两种假设：

伪造方盗用授权用户的身份，发送了某个delete请求进行用户资源的删除。
被攻击的网站的url未遵循rest规范，使用get请求进行了服务器资源的操作。

这样情况下没有验证吗？

xvrzhao changed the title ~~csrf防御中间件只验证post和put请求，假如是delete~~ csrf防御中间件只验证post和put请求，delete和get请求不防御吗

Author

xvrzhao commented Feb 4, 2018

但是，如果验证get请求的话会有问题：就是在用户第一次访问站点时，并没有token

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment