Security question: Does Q2A prevent CSRF-attacks?

Question 1

Hey there,

first of all: Thank you very much for that great piece of software that is Q2A!

I was wondering whether Q2A does prevent cross-site request-forgery attacks and if such measures exist, how to make use of them if I write a plugin. (I looked through the code, but couldn't figure it out by myself and couldn't find a related question.)

For instance: Is there a function to use in plugins to build forms which are safe from CSRF?

Thanks!

Thomas

Question 2

All modifying actions in Q2A must be performed via an HTTP POST request, which prevents CSRF attacks based on straightforward HTTP GET requests, such as embedded fake image URLs. However Q2A doesn't use one-time secret tokens or similar methods to prevent CSRF requests via a forged web form POSTed by another site. I will look into this for the next major release.

Question 3

Thanks for the answer!

Question 4

"doesn't use one-time secret tokens"... updating this: q2a does since v1.6.

gidgreen · Answer 1 · 2011-07-08T07:40:54+0000

All modifying actions in Q2A must be performed via an HTTP POST request, which prevents CSRF attacks based on straightforward HTTP GET requests, such as embedded fake image URLs. However Q2A doesn't use one-time secret tokens or similar methods to prevent CSRF requests via a forged web form POSTed by another site. I will look into this for the next major release.

"doesn't use one-time secret tokens"... updating this: q2a does since v1.6. — offline, Apr 1, 2014

Security question: Does Q2A prevent CSRF-attacks?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Categories

Security question: Does Q2A prevent CSRF-attacks?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Related questions

Categories