Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authenticity_token in Rails + Android

I am developing an Android application that communicates with a rails server. I don't want to ignore the authenticity_token but I also don't think asking for it is the right answer. What can be done to protect my POST requests?

like image 508
jmpenetra Avatar asked Apr 26 '12 15:04

jmpenetra


1 Answers

It's uncommon to require authenticity tokens when you use an API, as you would for an Android application; this is because authenticity tokens are generated to protect against cross-site request forgery attacks, which are only possible with a session... and usually if you're accessing an API you don't (or can't) use a session. So I wouldn't be too concerned about generating authenticity tokens here.

To protect your POSTs -- or indeed any request -- there are a number of options available to you. Simplest would be to authenticate each request with HTTP basic, and more complicated but arguably more secure would be to implement OAuth. Either way would provide some security for people using your app and connecting to your website.

like image 66
Veraticus Avatar answered Sep 25 '22 13:09

Veraticus