Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+3 votes
in Q2A Core by
Hey there,

first of all: Thank you very much for that great piece of software that is Q2A!

I was wondering whether Q2A does prevent cross-site request-forgery attacks and if such measures exist, how to make use of them if I write a plugin. (I looked through the code, but couldn't figure it out by myself and couldn't find a related question.)

For instance: Is there a function to use in plugins to build forms which are safe from CSRF?



1 Answer

+2 votes
Best answer
All modifying actions in Q2A must be performed via an HTTP POST request, which prevents CSRF attacks based on straightforward HTTP GET requests, such as embedded fake image URLs. However Q2A doesn't use one-time secret tokens or similar methods to prevent CSRF requests via a forged web form POSTed by another site. I will look into this for the next major release.
Thanks for the answer!
"doesn't use one-time secret tokens"... updating this: q2a does since v1.6.