Archive for April, 2010

Rails, Django, and Just-Barely-Enough CSRF Protection

Saturday, April 10th, 2010

This week I found what I thought was a bug in Rails 2.3: it does not check the anti-CSRF authenticity token for AJAX requests. Due to years of experience with Rails I knew that this was not the previous behavior I have come to expect, so I dug around and learned that this behavior was […]