Closed amreo closed 5 years ago
CSRF is a very important and basic protection scheme for all web servers. I'd really rather not add an option to disable it.
What have you tried? What errors are you getting?
Checkout the docs about CSRF.
Also, checkout the examples. Notice how this example is using a hidden form field to send the CSRF token, which it grabs from the login response header. From the docs, it could have also been sent in the request header with the key of "X-CSRF-Token", or in the "Authorization" request header with a value of "Bearer " + token.
The problem is that I don't understand how to generate and send a valid CSRF token.
The CSRF token gets generated on the server. You don't need to generate it. You need to read it from from the response header and send it with all subsequent requests. See the example I linked, above.
It happens here
@adam-hanna could you please elaborate how CSRF makes stateless application more secure? What if my application is being used by another application? How CSRF helps if two only applications talk to each other?
Perhaps author did a great job with a bad motivation, but I strongly recommend take into consideration of accepting this
I found very informative thread on stackexchange about whether CSRF is needed on stateless applications or not. Ref: https://security.stackexchange.com/questions/170388/do-i-need-csrf-token-if-im-using-bearer-jwt
I don't understand how to create a valid csrf token!