Closed amreo closed 5 years ago
coveralls
commented
5 years ago Coverage decreased (-2.0%) to 82.344% when pulling 26fad0c8e4522c01157ec80e34aa1f79600c88c6 on amreo:master into 3f596e66e003161dc0a4e3cd0a1e26b1e1cf6dfe on adam-hanna:master.
adam-hanna
commented
5 years ago CSRF is a very important and basic protection scheme for all web servers. I'd really rather not add an option to disable it.
What have you tried? What errors are you getting?
Checkout the docs about CSRF.
Also, checkout the examples. Notice how this example is using a hidden form field to send the CSRF token, which it grabs from the login response header. From the docs, it could have also been sent in the request header with the key of "X-CSRF-Token", or in the "Authorization" request header with a value of "Bearer " + token.
amreo
commented
5 years ago The problem is that I don't understand how to generate and send a valid CSRF token.
adam-hanna
commented
5 years ago The CSRF token gets generated on the server. You don't need to generate it. You need to read it from from the response header and send it with all subsequent requests. See the example I linked, above.
It happens here
brnck
commented
3 years ago @adam-hanna could you please elaborate how CSRF makes stateless application more secure? What if my application is being used by another application? How CSRF helps if two only applications talk to each other?
Perhaps author did a great job with a bad motivation, but I strongly recommend take into consideration of accepting this
I found very informative thread on stackexchange about whether CSRF is needed on stateless applications or not. Ref: https://security.stackexchange.com/questions/170388/do-i-need-csrf-token-if-im-using-bearer-jwt
I don't understand how to create a valid csrf token!