Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This looks wide open to csrf attacks.

Another site can post a form on behalf of a user automatically, and the cookies for job poacher will be sent. Meaning that a malicious site can take actions on behalf of a logged in user.

Perhaps their solution is more complicated than they let on, but I doubt it given it's "20 lines of code".



Rails has CSRF protections baked in; unless you explicitly turn it off, non-GET requests require a CSRF token associated with the user session to complete successfully.


That makes sense. I've been doing node js too long where you have to do this stuff by hand :0


This is why you check for tokens in the form that correspond to the current user's session. Rails does this for you automatically.


that has nothing to do with using a password or not to authenticate. anti-forgery tokens are the answer to csrf.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: