diff options
Diffstat (limited to 'doc/source/features.rst')
| -rw-r--r-- | doc/source/features.rst | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst index 3643326..c4239e9 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst | |||
| @@ -321,6 +321,20 @@ would be to use a different user to run PHP than for administrating the website, | |||
| 321 | and using this feature to lock this up. | 321 | and using this feature to lock this up. |
| 322 | 322 | ||
| 323 | 323 | ||
| 324 | Protection against cross site request forgery | ||
| 325 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
| 326 | |||
| 327 | Cross-site request forgery, sometimes abbreviated as *CSRF*, | ||
| 328 | is when unauthorised commands are issued from a user that the application trusts. | ||
| 329 | For example, if a user is authenticated on a banking website, | ||
| 330 | an other site might present something like | ||
| 331 | ``<img src="http://mybank.com/transfer?from=user&to=attack&amount=1337EUR">``, | ||
| 332 | effectivement transfering money from the user's account to the attacker one. | ||
| 333 | |||
| 334 | Snuffleupagus can prevent this (in `supported browsers <https://caniuse.com/#search=samesite>`__) | ||
| 335 | by setting the `samesite <https://tools.ietf.org/html/draft-west-first-party-cookies-07>`__ | ||
| 336 | attribute on cookies. | ||
| 337 | |||
| 324 | 338 | ||
| 325 | Dumping capabilities | 339 | Dumping capabilities |
| 326 | ^^^^^^^^^^^^^^^^^^^^ | 340 | ^^^^^^^^^^^^^^^^^^^^ |