Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help CSRF only on POST request, reason?
CSRF only on POST request, reason?
  • Offline Nichiren
    Junior Member
  • **
  • Posts: 27
    Threads: 1
    Joined: Feb 2015
    Reputation: 2
#2
03-05-2015, 09:36 PM

I'd be interested in responses to these questions as well. Incidentally, is there a way to subscribe to a thread without having to reply to it?

My personal take on 1. is that CI was reasonably confident that it could add CSRF protection to forms without too much risk of breaking everything since using form_open() automatically creates the hidden input field for the token. Even then, it looks like the forum still receives questions about POST requests failing which oftentimes turns out to be due to CSRF protection. On the other hand, there are no established CI mechanisms for PUT or DELETE requests since CI probably did not have these in mind in its earlier incarnations and would have an increased risk of breaking these requests for applications already using them. That said, this is all just conjecture on my part. For any RESTful requests, I just add the token in myself.
Reply


Messages In This Thread
CSRF only on POST request, reason? - by silentium - 03-05-2015, 07:22 PM
RE: CSRF only on POST request, reason? - by Nichiren - 03-05-2015, 09:36 PM
RE: CSRF only on POST request, reason? - by james - 03-06-2015, 06:51 AM
RE: CSRF only on POST request, reason? - by Narf - 03-06-2015, 01:14 PM



Theme © iAndrew 2016 - Forum software by © MyBB