[vlc-devel] [PATCH 0/2] mitigate CSRF and DNS rebinding attacks on httpd server.
pierre at videolabs.io
Thu Feb 1 10:16:06 CET 2018
> First, enforce POST for all non-indempotent requests. Then, you can think
> about "newer" attacks like CSRF.
I agree, though enforcing POST requests is breaking the API. I think this
should be done in the long run, but as we start breaking the API we should
also add CSRF token and other things (TBD)
> It is true that session tokens or cookies would break the API. But so would
> Origin and Referer header checks:
> - A control app using hand-written code for HTTP will break.
> - A control app using a non-web framework for HTTP will also break.
Browsers provide Referer and/or Origin header in their requests (even GET).
Control/Other app will unlikely provides theses header, my patch accept the
requests when none of theses header are provided.
More information about the vlc-devel