I believe the point of the article is that tokens don't get sent for HEAD or OPT... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jordanlev on June 13, 2017 \| parent \| context \| favorite \| on: Securing your API: a modern alternative to CSRF to... I believe the point of the article is that tokens don't get sent for HEAD or OPTIONS requests, and it's very possible that your API/server are still performing some sort of action on such requests. Or even if not performing a specific action, it still needs to be dealt with and hence is a DDOS vector.

stouset on June 14, 2017 [–]

CSRF tokens do not help you in any way against DDOS. CSRF tokens are handed out willingly on essentially any GET request.

jordanlev on June 14, 2017 | [–]

Exactly -- I think that's one of the points of the article.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact