@robocoder opened this Issue on April 14th 2011 Contributor

This ticket is to investigate and correct any issues similar to those identified in:

A cursory inspection shows:

  • Piwik does not use the X-Requested-With header to automatically trust requests
  • Piwik does use nonces as a CSRF protection on POST forms and token auth for AJAX

We already did an audit (and internal review) for 1.1, but a lot has changed since then, so it might be prudent to give the APIs and Controllers a 2nd look.

This Issue was closed on July 31st 2011
Powered by GitHub Issue Mirror