Details
-
LocationVienna
Joined devRant on 7/9/2018
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
No.
-
Because looks have anything to do with the distro..
-
@beggarboy Std is the standard library from c++
-
@nitwhiz pipe it into stty
-
Echo - ne "\xaa" or something like that
-
@nitwhiz stty should read from stdin per default i think
-
Stty
-
@SteffTek https://owasp.org/index.php/...
Read up on the topic -
@sbiewald okay is misunderstood your point, thought you meant submit the token two ways with either way being okay
-
@SteffTek do you want other applications to make arbitrary requests on behalf of another user?
-
@SteffTek maybe you should read a few articles about it, you really shouldn't consider deploying an api without csrf protection
-
@sbiewald but they can submit a request which sends the cookies and make requests on your behalf
-
@SteffTek doubt
-
@sbiewald storing it in the cookies defeats the entire purpose
-
@sbiewald just handle the error and refresh the token 🤷♂️
-
Like if it's possible make it dependent on the physical tcp connection
-
Make sure they are bound to sessions
-
5 min - 30 mins I'd say
-
Because the forms which execute csrf can't read the response of the request they sent and thus can't acquire the token
-
@SteffTek the issue is anyone can create a form on his page which submits a request to your api, for this request cookies are send (in contrast JavaScript requests from different origins can't send cookies unless your api explicitly allows it)
This means any site can make post(or other) requests on your behalf -
Also if you only consume the service via another service (aka no website involved) you don't need csrf protection
-
You have to make a get request for the token beforehand
-
@Lensflare agreed, but obviously this is java so there's nothing modern about it :P
-
@kamen i mean when o.getName returns null
-
@kamen because it can't throw NPE
-
@filthyranter you could always ask a lawyer, which i would recommend if you are uncertain
-
As far as i know the definition of competitive isn't that loose in 🇦🇹
-
AFAIK postman and insomnia don't need cors headers
-
Rebase and skip all commits which are not yours
-
@Brosyl true
Was a bit brainafk