port over some of the csrf_killer README docs

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7614 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

1 files changed, 13 insertions, 0 deletions

diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb
index a5044619a1..1802acc568 100644
--- a/actionpack/lib/action_controller/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/request_forgery_protection.rb
@@ -22,6 +22,19 @@ module ActionController #:nodoc:
       # the token doesn't match what was expected. And it will add a _token parameter to all forms that are automatically generated
       # by Rails. You can customize the error message given through public/422.html.
       #
+      # Learn more about CSRF (Cross-Site Request Forgery) attacks:
+      #
+      # * http://isc.sans.org/diary.html?storyid=1750
+      # * http://en.wikipedia.org/wiki/Cross-site_request_forgery
+      #
+      # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.  There are a few guidelines you
+      # should follow:
+      # 
+      # * Keep your GET requests safe and idempotent.  More reading material:
+      #   * http://www.xml.com/pub/a/2002/04/24/deviant.html
+      #   * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
+      # * Make sure the session cookies that Rails creates are non-persistent.  Check in Firefox and look for "Expires: at end of session"
+      #
       # Example:
       #
       #   class FooController < ApplicationController