Why don't you recommend using the form token with rack protection?
Closed this issue · 2 comments
dariocravero commented
Hey @rkh why do you say that Rack::Protection::FormToken might be a security issue to the app if Rack::Protection is being used?
Does it mean that we should be careful when using things like baldowl/rack_csrf(https://github.com/baldowl/rack_csrf/tree/master/lib/rack) or padrino-csrf together with rack-protection? What do we have to look after?
Thanks!
rkh commented
FormToken lets through xhr requests without token.
dariocravero commented
Thanks!