Replies: 2 comments 3 replies
-
|
Well, actually the client must explicitly set the You can read more about this here: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie |
Beta Was this translation helpful? Give feedback.
-
|
I see. So this middleware is intended to be used with an AJAX call, because setting a request header is not possible in HTML? Please clarify if this is incorrect. Otherwise, thanks for the nudge in the right direction. |
Beta Was this translation helpful? Give feedback.
-
|
Indeed, it's intended to be used with REST API called from the browser with AJAX/XHR requests where you can set headers manually. |
Beta Was this translation helpful? Give feedback.
-
|
For a middleware working more traditionally with a hidden form field, you can try simonw/asgi-csrf 😉 |
Beta Was this translation helpful? Give feedback.
-
|
For future readers needing to use the POST method to do CSRF in Starlette, this implemention is also good and small: https://github.com/piccolo-orm/piccolo_api/blob/master/piccolo_api/csrf/middleware.py |
Beta Was this translation helpful? Give feedback.
-
A bit of confusion as to how this middleware is intended to work.
Response headers are one-way, correct? So how is x-csrftoken ever supposed to be seen by the server again without the client explicitly sending it?
Sending an invisible field with POST data makes sense, a custom header does not? Am I missing something?
Beta Was this translation helpful? Give feedback.
All reactions