I don't think checking Referer/Origin headers is sufficient against CSRF, but Wicket does: https://ci.apache.org/projects/wicket/apidocs/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.html … Bug or am I wrong?
since "A missing Origin HTTP header is (by default) handled as if it were a good request and accepted" is the case, I agree.
-
-
yes, and relying on things that can be omitted. Unfortunately CSRF is not straightforward with Wicket, guesswork required.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.