Open preslavrachev opened 4 months ago
You can disable CSRF token verification for non-forms with the quarkus.csrf-reactive.require-form-url-encoded=false
configuration.
You can also achieve CSRF token verification using an HTTP header for those APIs.
Does this help?
@FroMage it did help, indeed. I took some time to check if the CSRF tokens are still required where they should be (and they were), so I guess, this issue can be closed.
However, it opens up an interesting point about documenting it. I checked the entire Renarde documentation and found no mention of it, so I believe it is worth of adding it to the Security page. Should I open a PR?
Yes, that'd be great, thanks :)
One of our applications uses Renarde and there are several controllers that inherit ffrom
@Controller
, as well as others that should serve as plain REST API endpoints. While I understand the security concerns, these endpoints really don't need this extra layer, as we really only use them internally. I even explicitly annotate endpoints with@Produces
and@Consumes
to indicate that we are not talking about a controller action, but a plain REST endpoint.However, the CSRF check would kick in everywhere and would require me to dig in for a CSRF token. Not only that, but if you add DEBUG logging you'll see this in the logs:
which makes no sense to me - my request is perfectly fine. It is the CSRF filter that is out of place here.
Anyway, is there a way to disable the filter for certain resources/endpoints? Also, correct me if I am wrong, but this is not the case in a vanilla Quarkus application - only if I add Renarde on top (which, I assume is because if pulls in the CSRF module dependency).