Merge pull request #9 from decebals/_csrf_token

decebals · decebals · commit 737604a06a78 · 2015-06-02T22:13:08.000+03:00
Document _csrf_token form field
diff --git a/_posts/2015-03-17-security.md b/_posts/2015-03-17-security.md
@@ -101,13 +101,13 @@ Using this handler is straight-forward.
 ALL("/books.*", new CSRFHandler());
 ```
 
-**2.** Add a `${csrfToken}` hidden input value on all forms that are POSTed to this protected path expression
+**2.** Add a `_csrf_token` / `${csrfToken}` hidden input value on all forms that are POSTed to this protected path expression
 
 ```html
 <html>
 	<body>
 		<form method="post" action="/books/5/rename">
-			<input type="hidden" value="${csrfToken}" name="csrfToken" >
+			<input type="hidden" name="_csrf_token" value="${csrfToken}">
 			<input placeholder="Enter a new book title" name="bookTitle">
 			<input type="submit" value="Rename">
 		</form>
diff --git a/_posts/2015-06-01-forms.md b/_posts/2015-06-01-forms.md
@@ -6,6 +6,15 @@ date: 2015-06-01 10:11:42
 order: 55
 ---
 
+### Reserved Form Field Names
+
+The following field names are reserved for Pippo.
+
+- `_method`
+- `_content`
+- `_content_type`
+- `_csrf_token`
+
 ### Cross-Site Request Forgery (CSRF) Protection
 
 See [Security](security.html).
