[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GSoC] Development of Cuirass.
|
From: |
pelzflorian (Florian Pelz) |
|
Subject: |
Re: [GSoC] Development of Cuirass. |
|
Date: |
Sun, 12 Mar 2017 16:18:34 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.7.1 |
Hello,
On 03/12/2017 03:49 PM, Mathieu Lirzin wrote:
> Sensitive requests should be done with an
> authentification mechanism which is not determined yet. I currently
> have no experience with any and lack the knowledge to properly choose
> one.
I’m new to Guix and Scheme and no expert in Web programming, but in
order to prevent CSRF and in order not to rely on JavaScript, the server
should run with HTTPS (of course) and
· use a secret session token and
· send a customized Web page to the client adapted so that each link and
form to the server includes the session token as a GET or POST parameter.
An alternative is Basic Access Authentication with HTTPS or Cookies with
HTTPS but they are vulnerable to CSRF.
See stackoverflow, for example
https://stackoverflow.com/questions/21357182/csrf-token-necessary-when-using-stateless-sessionless-authentication
Maybe others don’t take such a strong stance against JavaScript and
prefer another method, but I believe JavaScript does not belong in the Web.
Regards,
Florian
- [GSoC] Development of Cuirass., Mathieu Lirzin, 2017/03/12
- Re: [GSoC] Development of Cuirass.,
pelzflorian (Florian Pelz) <=
- Re: [GSoC] Development of Cuirass., Ludovic Courtès, 2017/03/13
- Re: [GSoC] Development of Cuirass., Andy Wingo, 2017/03/13
- Re: [GSoC] Development of Cuirass., Efraim Flashner, 2017/03/13
- Re: [GSoC] Development of Cuirass., Mathieu Lirzin, 2017/03/21