Cross-Site Request Forgery with Token Validation - general use?
Permalink
I'd like to know what's advisable for using CSRF validation. Should it be used
1. for every link and form requiring controller action and request (e.g. view, add/edit view, get/post)
2. only for forms with controller actions/requests (e.g. get/post)
3. only for those controller actions/requests which result in DB changes (e.g. save, update)
4. combination of the above for front and back end (user and admin interaction)
5. combination of the above only for front end (e.g. user interaction)
6. anything else?
I'd say #3 for front end only is reasonable. What are your suggestions and reasons?
Thank you.
1. for every link and form requiring controller action and request (e.g. view, add/edit view, get/post)
2. only for forms with controller actions/requests (e.g. get/post)
3. only for those controller actions/requests which result in DB changes (e.g. save, update)
4. combination of the above for front and back end (user and admin interaction)
5. combination of the above only for front end (e.g. user interaction)
6. anything else?
I'd say #3 for front end only is reasonable. What are your suggestions and reasons?
Thank you.