Comment Re:Computer systems need security audits. (Score 1) 143
Repeat after me: "telling people 'GET shouldn't change anything' reinforces the dangerously incorrect notion that POST can't be forged".
JavaScript makes it *trivial* to POST data to an arbitrary server. Seriously, the only way to properly deal with this is to include and verify some sort of token in all POST requests (along with not allowing GET requests to modify data)
JavaScript makes it *trivial* to POST data to an arbitrary server. Seriously, the only way to properly deal with this is to include and verify some sort of token in all POST requests (along with not allowing GET requests to modify data)
