khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-03 10:20:02 +07:00
Code Issues Packages Projects Releases Wiki Activity

Add some paragraph on GET vs other verbs in HTTP

Browse Source 
Signed-off-by: Christian Wolf <github@christianwolf.email>
This commit is contained in:
Christian Wolf
2025-01-20 17:33:28 +01:00
parent 86d6bae1f4
commit 08a89209e8
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
developer_manual/prologue/security.rst
View File

@@ -229,7 +229,11 @@ To prevent CSRF in an app, be sure to call the following method at the top of al
<?php
OCP\JSON::callCheck();
If you are using the App Framework, every controller method is automatically checked for CSRF unless you explicitly exclude it by setting the ``#[NoCSRFRequired]`` attribute or ``@NoCSRFRequired`` annotation before the controller method, see :doc:`../basics/controllers`
If you are using the App Framework, every controller method is automatically checked for CSRF unless you explicitly exclude it by setting the ``#[NoCSRFRequired]`` attribute or ``@NoCSRFRequired`` annotation before the controller method, see :doc:`../basics/controllers`.
Additionally, it is advised to carefully select the HTTP method used for requests.
Requests of type ``GET`` should not alter data but just read existing data.
As long as no other attack is involved, any non-``GET`` request requires at least user interaction (transmitting a form).
Unvalidated redirects
---------------------