Closed sagan closed 7 years ago
I don't follow what you're asking for, but JSON APIs are just as vulnerable to CSRF attacks as APIs accepting multipart forms.
Closing for now. Reopen if you can provide more detail.
Sorry for my poor English. What I mean is, skip the CSRF token verification if the request Content-Type is not in [application/x-www-form-urlencoded, multipart/form-data, text/plain]. Because this kind of request can only be initiated from a same-origin XMLHttpRequest / fetch, which has no CSRF risks.
The code likes that:
if( [ 'application/x-www-form-urlencoded', 'multipart/form-data', 'text/plain' ].indexOf(ctx.request.type) == -1 )
return next();
XMLHttpRequest
and fetch
absolutely have CSRF risks.
Hi
How about limit the csrf verification to application/x-www-form-urlencoded, multipart/form-data, and text/plain type requests only ? As the plain html form can only send these 3 types of requests (without XMLHttpRequest / fetch, which has same origin policy), there will be no CSRF risks in most cases if I implement a 'application/json' type rest style API