Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted October 10, 20204 yr I'm updating one of my apps, and it has a ton of ajax request, and i've done this in the execute method of my controllers: if( Request::i()->requestMethod() !== 'GET'){ Session::i()->csrfCheck(); } as all my POSTs are for state changes and my GETs aren't (so basically any http request that isn't a GET will hit the csrfCheck). from my testing, it appears to be effective, or should i be putting the csrfCheck into each method of the controller that needs to check it?
October 10, 20204 yr I guess it's fine, given it's only run in your own controllers where you're making sure to use POST requests for any state changes and any actions where data aren't just simply displayed to the user.
October 10, 20204 yr Solution But nothing here stops me from creating and sharing a regular URL for these methods, creating a GET request for it. So I'm gonna say you do need it in every method. Or you need all state changing methods in its own controller where you run the csrfCheck regardless of request method.
October 10, 20204 yr Author 2 minutes ago, Martin A. said: But nothing here stops me from creating and sharing a regular URL for these methods, creating a GET request for it. good point
