Skip to content

Commit

Permalink
Add a comment about a new use of the X-APOLLO-OPERATION-NAME header (a…
Browse files Browse the repository at this point in the history 
…pollographql#2267)
  • Loading branch information
@glasser @jamesonwilliams
glasser authored and jamesonwilliams committed Nov 16, 2024
1 parent 0f4f1a5 commit d2fa296
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions Sources/Apollo/HTTPRequest.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,15 @@ open class HTTPRequest<Operation: GraphQLOperation> {
self.cachePolicy = cachePolicy

self.addHeader(name: "Content-Type", value: contentType)
// Note: in addition to this being a generally useful header to send, Apollo
// Server's CSRF prevention feature (introduced in AS3.7 and intended to be
// the default in AS4) includes this in the set of headers that indicate
// that a GET request couldn't have been a non-preflighted simple request
// and thus is safe to execute. If this project is changed to not always
// send this header, its GET requests may be blocked by Apollo Server with
// CSRF prevention enabled. See
// https://www.apollographql.com/docs/apollo-server/security/cors/#preventing-cross-site-request-forgery-csrf
// for details.
self.addHeader(name: "X-APOLLO-OPERATION-NAME", value: self.operation.operationName)
self.addHeader(name: "X-APOLLO-OPERATION-TYPE", value: String(describing: operation.operationType))
if let operationID = self.operation.operationIdentifier {
Expand Down

0 comments on commit d2fa296

Please sign in to comment.