Put.io API design issues

Yeah, cookie-based auth seems suuuper convenient, especially when you build a project that&#x27;s something like a CMS based on a REST API and you don&#x27;t want to send auth headers back and forth all the time.<p>But remember: as soon as you use cookies (or anything else the browser sends by itself automatically), you need to make sure that you know that <i>your user</i> initiated the request, or else you get XSRF issues.<p>And combined with JSONP, this is basically game-over. However, when the cookie-based auth is removed, I see no problems with JSONP (for the server; the one using the JSONP has to have trust in the server to not set malicious code).

Basic CSRF. If you don&#x27;t know what CSRF is and how to protect against it, any website you make is <i>probably</i> going to be insecure. If you call yourself a web developer and don&#x27;t know about CSRF, please, go learn it. I don&#x27;t think I&#x27;d hire a web developer who couldn&#x27;t tell me what CSRF is and how to prevent it. Even if your framework takes care of it for you, you still need to know what it is.

This isn&#x27;t great, but I do want to speak on behalf of Put.io. It really is an incredible service and I&#x27;ve always had great response time from them on customer service issues. I highly encourage anyone who isn&#x27;t using it to give it a look.

Stop using JSONP, please! Instead, just support CORS.