[Headless] Question - Is this csrf-token protected?

[eder13]

Hello,

I would like to use the query language extension to effectively use Kirby as a headless REST CMS (seperated React frontend). The only problem I see is, that this query language is using POST Requests, and afaik kirby uses csrf protection and there seems to be no (safe) way to get the csrf-token on the frontend.

But is it even csrf protected?

PS: CSRF Protection would still be applied, but instead of Kirby I would integrate it into my backend API which would fetch the kirby cms data which is protected via basic auth so that only the backend api has access to kirby.

Thanks in advance! -eder

[lukasbestle]

The KQL endpoint is implemented as an API route. If a session is used for authentication, the API checks for the CSRF token by default. In this case you can use the csrf() helper in your template code to access the token and provide it to your frontend code:

<script>
window.csrf = "<?= csrf() ?>"
</script>

If you want to use KQL via your backend API as a proxy, you can use HTTP Basic auth. For basic auth, no CSRF token is required.