include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example For https://www.djangoproject.com/[Django]: ---- # No method restriction def view(request): # Sensitive return HttpResponse("...") ---- ---- @require_http_methods(["GET", "POST"]) # Sensitive def view(request): return HttpResponse("...") ---- For https://flask.palletsprojects.com/en/1.1.x/[Flask]: ---- @methods.route('/sensitive', methods=['GET', 'POST']) # Sensitive def view(): return Response("...", 200) ---- == Compliant Solution For https://www.djangoproject.com/[Django]: [source,python] ---- @require_http_methods(["POST"]) def view(request): return HttpResponse("...") ---- [source,python] ---- @require_POST def view(request): return HttpResponse("...") ---- [source,python] ---- @require_GET def view(request): return HttpResponse("...") ---- [source,python] ---- @require_safe def view(request): return HttpResponse("...") ---- For https://flask.palletsprojects.com/en/1.1.x/[Flask]: [source,python] ---- @methods.route('/compliant1') def view(): return Response("...", 200) ---- [source,python] ---- @methods.route('/compliant2', methods=['GET']) def view(): return Response("...", 200) ---- == See * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)] * https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery] * https://docs.djangoproject.com/en/3.1/topics/http/decorators/#allowed-http-methods[Django] - Allowed HTTP Methods * https://flask.palletsprojects.com/en/1.1.x/quickstart/#http-methods[Flask] - HTTP Methods ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]