From 31e74455e69d4fa348bc67e28fe237f4e0477282 Mon Sep 17 00:00:00 2001
From: Luca Campli <campli.luca@gmail.com>
Date: Mon, 25 Jan 2016 02:16:12 +0100
Subject: [PATCH] Update "Use only JSON API"

As you can read here: http://security.stackexchange.com/questions/10227/csrf-with-json-post JSON API are still vulnerable to CSRF if you are not checking the content type.
---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index be10a0b..5cf1080 100644
--- a/README.md
+++ b/README.md
@@ -25,11 +25,11 @@ there might be some inputs for credit card and social security info.
 
 ## How to mitigate CSRF attacks?
 
-### Use only JSON APIs
+### Use only JSON APIs and check for Content-Type
 
 AJAX calls use JavaScript and are CORS-restricted.
-There is no way for a simple `<form>` to send `JSON`,
-so by accepting only JSON,
+A simple `<form>` with the form data encoding `text/plain` is still able to forge requests containing valid JSON data,
+so by accepting only JSON with `Content-Type: application/json` on the request
 you eliminate the possibility of the above form.
 
 ### Disable CORS