include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example For https://www.djangoproject.com/[Django]: ---- # No method restriction def view(request): # Sensitive return HttpResponse("...") ---- ---- @require_http_methods(["GET", "POST"]) # Sensitive def view(request): return HttpResponse("...") ---- For https://flask.palletsprojects.com/en/1.1.x/[Flask]: ---- @methods.route('/sensitive', methods=['GET', 'POST']) # Sensitive def view(): return Response("...", 200) ---- == Compliant Solution For https://www.djangoproject.com/[Django]: [source,python] ---- @require_http_methods(["POST"]) def view(request): return HttpResponse("...") ---- [source,python] ---- @require_POST def view(request): return HttpResponse("...") ---- [source,python] ---- @require_GET def view(request): return HttpResponse("...") ---- [source,python] ---- @require_safe def view(request): return HttpResponse("...") ---- For https://flask.palletsprojects.com/en/1.1.x/[Flask]: [source,python] ---- @methods.route('/compliant1') def view(): return Response("...", 200) ---- [source,python] ---- @methods.route('/compliant2', methods=['GET']) def view(): return Response("...", 200) ---- == See * https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control * https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design * https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control * https://cwe.mitre.org/data/definitions/352[MITRE, CWE-352] - Cross-Site Request Forgery (CSRF) * https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery] * https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components * https://docs.djangoproject.com/en/3.1/topics/http/decorators/#allowed-http-methods[Django] - Allowed HTTP Methods * https://flask.palletsprojects.com/en/1.1.x/quickstart/#http-methods[Flask] - HTTP Methods ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]