

Put.io API design issues - moonlander
https://miki.it/blog/2015/8/10/put-io-api-design-issues/

======
xrstf
Yeah, cookie-based auth seems suuuper convenient, especially when you build a
project that's something like a CMS based on a REST API and you don't want to
send auth headers back and forth all the time.

But remember: as soon as you use cookies (or anything else the browser sends
by itself automatically), you need to make sure that you know that _your user_
initiated the request, or else you get XSRF issues.

And combined with JSONP, this is basically game-over. However, when the
cookie-based auth is removed, I see no problems with JSONP (for the server;
the one using the JSONP has to have trust in the server to not set malicious
code).

------
mike-cardwell
Basic CSRF. If you don't know what CSRF is and how to protect against it, any
website you make is _probably_ going to be insecure. If you call yourself a
web developer and don't know about CSRF, please, go learn it. I don't think
I'd hire a web developer who couldn't tell me what CSRF is and how to prevent
it. Even if your framework takes care of it for you, you still need to know
what it is.

~~~
simonw
"If you don't know what CSRF is and how to protect against it, any website you
make is probably going to be insecure"

A thousand times this.

I used to give a talk about basic web application security, and my favourite
part of that talk was right after explaining CSRF when I'd point out that "...
and if you don't have active protection in place against this attack, your app
is vulnerable right now". You could almost see people's faces turning white in
the audience.

------
wdewind
This isn't great, but I do want to speak on behalf of Put.io. It really is an
incredible service and I've always had great response time from them on
customer service issues. I highly encourage anyone who isn't using it to give
it a look.

------
Sir_Cmpwn
Stop using JSONP, please! Instead, just support CORS.

~~~
simonw
CORS will not protect you against CSRF - in fact, if you don't apply it with
caution it will open you up to CSRF attacks.

~~~
Sir_Cmpwn
Sorry, I wasn't necessarily saying that CORS will save you, but more
suggesting that there's no reason to use JSONP.

