Risk of Cross-Site Request Forgery through _method POST parameter

[randomstuff]

The _method POST parameter can be used to override the HTTP method. This means that DELETE, PUT routes can be triggered through CSRF. The documentation should warn that when using libmonade these routes should be CSRF-protected as well.

Additionaly it might be useful to be able to disable this feature.

[16]

Thx ! So I plan to

• had a warning in the README
• had a CSRF protection (https://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php/31683058#31683058)
• had an option to disable this feature (maybe be it should be disabled by default ?)

[randomstuff]

Ideally disabling it by default would be fine as it would follow the Principle of Least Astonishment. It would break existing code however.

Adding a CSRF protection by default would break existing code which consume the API directly (not through the browser) so you might want to opt-in as well if you add some CSRF protection.