cppcms-users

[Joerg S. <jo...@br...>]

Hi Artyom,
first of all, can you add the HTTP header option for the CSRF token to
the secure programming page? Especially when dealing with AJAX
frameworks, that's often easier than adding the field.

Second, I think validate_request_origin should be changed to not match
POST, but do a positive match for GET or HEAD. Those two are supposed to
be side-effect free, but e.g. PUT or DELETE request should get the CSRF
protection too.

Joerg