[security-dev] CSRF and json
Pedro Igor Silva
psilva at redhat.com
Tue May 6 08:27:30 EDT 2014
Also, one of the most popular protection is a CSRF Token. This page can be useful.
----- Original Message -----
From: "Bruno Oliveira" <bruno at abstractj.org>
To: "Bill Burke" <bburke at redhat.com>
Cc: security-dev at lists.jboss.org
Sent: Monday, May 5, 2014 11:25:19 PM
Subject: Re: [security-dev] CSRF and json
Good morning Bill
On 2014-05-05, Bill Burke wrote:
> If you have a JSON based web-service is it still vulnerable to CSRF
> requests? CORS should be one protection. For cross domain FORM posts,
They are, if you don't have checks for the content type.
> if the json service checks the media type for application/json it should
> abort the request, correct?
If you want to follow strictly the specification
(http://www.w3.org/TR/cors/#cross-origin-request-status). I would say,
yes, they just abort with "network error".
If you want to mitigate CSRF and other web vulnerabilities, my suggestion
is the CSP specification (http://www.w3.org/TR/CSP11/).
> Bill Burke
> JBoss, a division of Red Hat
> security-dev mailing list
> security-dev at lists.jboss.org
security-dev mailing list
security-dev at lists.jboss.org
More information about the security-dev