Hi guys,
What I do is that I allow the creation of a comment from a mobile device using XML sending:
<?xml version="1.0" encoding="UTF-8"?> <comment> <body>Comment from curl</body> </comment>
To http://user1:pass1@127.0.0.1.:3000/programs/1/comments
So I used protect_from_forgery :only => [:update, :destroy] to be able to access the :create
But now it is open. As you can see in the request I put the username and password so the comment can be created.
How should I do this in a secure way? Both regarding the protect_from_forgery and the username and password transfer?
Thanks!