changeset 289:9223c3f26c1a

csrf
author Sebastien Jodogne <s.jodogne@gmail.com>
date Mon, 30 Sep 2019 21:31:08 +0200
parents 2e71e7cc0ec5
children 6cbcdb965ad3
files Sphinx/source/faq/security.rst
diffstat 1 files changed, 8 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/Sphinx/source/faq/security.rst	Tue Sep 24 17:57:27 2019 +0200
+++ b/Sphinx/source/faq/security.rst	Mon Sep 30 21:31:08 2019 +0200
@@ -100,9 +100,14 @@
   user that runs Orthanc.
 
 * Consider implementing a :ref:`higher-level application
-  <improving-interface>` (e.g. in PHP) that takes care of user
-  authentication/authorization, and that is the only one to be
-  allowed to contact the Orthanc REST API.
+  <improving-interface>` (e.g. in PHP, Java, Django...) that takes
+  care of user authentication/authorization, and that is the only one
+  to be allowed to contact the Orthanc REST API. In particular, you
+  must create a higher-level application so as to properly deal with
+  `CSRF attacks
+  <https://en.wikipedia.org/wiki/Cross-site_request_forgery>`__:
+  Indeed, as explained in the introduction, Orthanc is a microservice
+  that is designed to be used within a secured environment.
 
 * For advanced scenarios, you might have interest in the
   :ref:`advanced authorization plugin <authorization>`. Similarly,