pandemonium_engine/modules/web/doc_classes/CSRFTokenWebServerMiddleware.xml

29 lines
2.0 KiB
XML
Raw Normal View History

2022-08-21 00:40:49 +02:00
<?xml version="1.0" encoding="UTF-8" ?>
2023-06-13 17:34:41 +02:00
<class name="CSRFTokenWebServerMiddleware" inherits="WebServerMiddleware" version="3.12">
2022-08-21 00:40:49 +02:00
<brief_description>
The [CSRFTokenWebServerMiddleware] is a [WebServerMiddleware] implementation that sets up, and if it's a post request, then also it validates CRSF tokens automatically. If a token fails to validate an error is sent back to the user.
2022-08-21 00:40:49 +02:00
</brief_description>
<description>
The [CSRFTokenWebServerMiddleware] is a [WebServerMiddleware] implementation that sets up, and if it's a post request, then also it validates CRSF tokens automatically. If a token fails to validate an error is sent back to the user.
2022-12-22 19:51:25 +01:00
They can be used to validate that a form was actually submitted by the user from a page rendered by the application's server itself, in order to mitigate [C]ross [S]ite [R]equest [F]orgery attacks (Imagine that a malicious site creates a form that points to your web application, and if the user has a session with your site, them clicking submit (there are methods that they don't even have to click) will cause unwanted side effects with your application (it could be avatar changes, password change, user deletion, etc).
It can be configured to ignore certain url-s. This is useful if an application only creates sessions when needed, and it has user registration and login support. In this case the registration and login urls need to be excluded from the CRSF token check, as a user don't yet have a session set up and thus has no CSRF token available before logging in.
2022-08-21 00:40:49 +02:00
</description>
<tutorials>
</tutorials>
<methods>
<method name="create_token">
<return type="String" />
<description>
Helper method that can create a token for you.
2022-08-21 00:40:49 +02:00
</description>
</method>
</methods>
<members>
<member name="ignored_urls" type="PoolStringArray" setter="set_ignored_urls" getter="get_ignored_urls" default="PoolStringArray( )">
2022-12-22 19:51:25 +01:00
These urls will be excluded from the CSRF token check when receiving a POST request.
2022-08-21 00:40:49 +02:00
</member>
</members>
<constants>
</constants>
</class>