[Catalyst] preventing Cross Site Request Forgery

Jonathan Rockway jon at jrock.us
Tue Jun 19 10:10:25 GMT 2007

Hello cata-listers,

I was reading an article about CSRF last night:


and realized that Catalyst is just as "vulnerable" as Rails.  So, I wrote 
Catalyst::Plugin::FormCanary to solve the problem.  If you care about CSRF, 
get it from CPAN, load it into your app, and stop worrying :)

It's sort of unpolished right now (see the TODO section) but it does work, 
(even with FormBuilder), and it fails in a secure state instead of an 
insecure state.  It has good test coverage, so if you feel like fixing 
something in the TODO list write a test, fix it, and send me a patch.


Jonathan Rockway

package JAPH;use Catalyst qw/-Debug/;($;=JAPH)->config(name => do {
$,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //,
";$;"]->[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;->setup;

More information about the Catalyst mailing list