Re: [security-dev] CSRF and json

Also, one of the most popular protection is a CSRF Token. This page can be useful. https://developer.mozilla.org/en/Persona/Security_Considerations ----- Original Message ----- From: "Bruno Oliveira" <bruno(a)abstractj.org&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: security-dev(a)lists.jboss.org Sent: Monday, May 5, 2014 11:25:19 PM Subject: Re: [security-dev] CSRF and json Good morning Bill On 2014-05-05, Bill Burke wrote: > If you have a JSON based web-service is it still vulnerable to CSRF > requests? CORS should be one protection. For cross domain FORM posts, They are, if you don't have checks for the content type. > if the json service checks the media type for application/json it should > abort the request, correct? If you want to follow strictly the specification (http://www.w3.org/TR/cors/#cross-origin-request-status). I would say, yes, they just abort with "network error". If you want to mitigate CSRF and other web vulnerabilities, my suggestion is the CSP specification (http://www.w3.org/TR/CSP11/). > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > security-dev mailing list > security-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev -- abstractj _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev