[vlc-devel] [PATCH 0/2] mitigate CSRF and DNS rebinding attacks on httpd server.

Pierre Lamot pierre at videolabs.io
Thu Feb 1 10:16:06 CET 2018

> First, enforce POST for all non-indempotent requests. Then, you can think
> about "newer" attacks like CSRF.

I agree, though enforcing POST requests is breaking the API. I think this 
should be done in the long run, but as we start breaking the API we should
also add CSRF token and other things (TBD)

> It is true that session tokens or cookies would break the API. But so would
> Origin and Referer header checks:
> - A control app using hand-written code for HTTP will break.
> - A control app using a non-web framework for HTTP will also break.

Browsers provide Referer and/or Origin header in their requests (even GET). 
Control/Other app will unlikely provides theses header, my patch accept the 
requests when none of theses header are provided.

Pierre Lamot

More information about the vlc-devel mailing list