Tuesday, 2 April 2013

To Read: A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

This looks like a promising way to deal with CSRF:

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications (PDF)

1 comment:

Pierre Ernst said...

IMHO the Authorization: HTTP header should also be stripped by the proxy to block CSRF to webapp using basic authentication instead of session cookies.