Recent searches

No recent searches

Search options

Not available on functional.cafe.
functional.cafe is one of the many independent Mastodon servers you can use to participate in the fediverse.
functional.cafe is an instance for people interested in functional programming and languages.

Administered by:

Server stats:

207
active users

functional.cafe: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.5.0-alpha.1+glitch

I've been working on the login flow for a simple web program. In the process, I learned about two things:

1. Forms cannot submit DELETE or PUT requests.
2. How Cross-Site Request Forgery works - owasp.org/www-community/attack

Synthesizing these two pieces of knowledge, would it not be true that making your whole API use DELETE and PUT would obviate the need for CSRF tokens? The same-origin policy would prevent anyone but the page itself from making DELETE and PUT requests via JS, which is the only way to use those two methods.

To be clear, I think this is an entirely stupid idea, but it's intriguing nonetheless.

owasp.orgCross Site Request Forgery (CSRF) | OWASP FoundationCross Site Request Forgery (CSRF) on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
··Web
0boosts·0favorites
Live feeds
About