diff options
| author | NavaL <ayoyo@thoughtworks.com> | 2016-02-24 16:33:20 +0100 |
|---|---|---|
| committer | NavaL <mnandri@thoughtworks.com> | 2016-02-25 09:17:53 +0100 |
| commit | 9573bdca55ddc5488066d3af525e41ed1d872ea6 (patch) | |
| tree | 228ca246c306bd44faa37c01e52c6d7aefec1531 /service/pixelated/resources/__init__.py | |
| parent | b79035b83e81e4fd654b587426083c6033e695ad (diff) | |
Backend and frontend protection against csrf attacks:
- root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login
- it will also add that cookie on single user mode
- initialize will still load all resources
- but they you cant access them if the csrf token do not match
- all ajax calls needs to add the token to the header
- non ajax get requests do not need xsrf token validation
- non ajax post will have to send the token in as a form input or in the content
Issue #612
Diffstat (limited to 'service/pixelated/resources/__init__.py')
| -rw-r--r-- | service/pixelated/resources/__init__.py | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/service/pixelated/resources/__init__.py b/service/pixelated/resources/__init__.py index 14ecac86..469c8bc8 100644 --- a/service/pixelated/resources/__init__.py +++ b/service/pixelated/resources/__init__.py @@ -99,3 +99,7 @@ class UnAuthorizedResource(Resource): def render_GET(self, request): request.setResponseCode(UNAUTHORIZED) return "Unauthorized!" + + def render_POST(self, request): + request.setResponseCode(UNAUTHORIZED) + return "Unauthorized!" |