Closed maryam-saeidi closed 1 month ago
Pinging @elastic/kibana-core (Team:Core)
This header is not always required;
Yeah, it's even tricker than that: non "unsafe methods" (so basically anything aside from GET
and OPTION
) require either the kbn-xsrf
OR the kbn-version
header.
So technically, none of those 2 are really required, but at least one of them should be present.
But for OAS generation we could probably just make kbn-xsrf
mandatory, and automatically add it during generation for nonGET nonOPTION endpoints.
WDYT @jloleysens?
But for OAS generation we could probably just make kbn-xsrf mandatory, and automatically add it during generation for nonGET nonOPTION endpoints.
Yeah this is exactly what I had in kind. There is an option to also make xsrf header not required that should probably also be respected when generating oas:
Summary
While working on Zod support PoC, I noticed that we don't add the
kbn-xsrf
header parameter automatically.This header is not always required; for example,
GET /api/alerting/rules/_find
API works without providing this header butPUT /api/alerting/rule/046c0d4f
needs this header.