From ab3ae5fdd49fd1604158d300e9cc95a6424b2581 Mon Sep 17 00:00:00 2001 From: Relintai Date: Sun, 21 Aug 2022 17:46:17 +0200 Subject: [PATCH] Added docs for CSRFTokenWebServerMiddleware. --- modules/web/doc_classes/CSRFTokenWebServerMiddleware.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/web/doc_classes/CSRFTokenWebServerMiddleware.xml b/modules/web/doc_classes/CSRFTokenWebServerMiddleware.xml index 07b8e8b91..0baffab9b 100644 --- a/modules/web/doc_classes/CSRFTokenWebServerMiddleware.xml +++ b/modules/web/doc_classes/CSRFTokenWebServerMiddleware.xml @@ -1,8 +1,12 @@ + The [CSRFTokenWebServerMiddleware] is a [WebServerMiddleware] implementation that sets up, and if it's a post request, then also it validates CRSF tokens automatically. If a token fails to validate an error is sent back to the user. + The [CSRFTokenWebServerMiddleware] is a [WebServerMiddleware] implementation that sets up, and if it's a post request, then also it validates CRSF tokens automatically. If a token fails to validate an error is sent back to the user. + They can be used to validate that a form was actually submitted by the user from a page rendered by the application's server itself, in order to mitigate [C]ross [S]ite [R]equest [F]orgery attacs (Imagine that a malicious site creates a form that points to your web application, and if the user has a session with your site, them clicking submit (there are methods that they don't even have to click) will cause unwanted side effects with your application (it could be avatar changes, pasword change, user deletion, etc). + It can be configured to ignore certain url-s. This is useful if an application only creates sessions when needed, and it has user registration and login support. In this case the registration and login urls need to be excluded from the CRSF token check, as a user don't yet have a session set up and thus has no CSRF token available before logging in. @@ -10,11 +14,13 @@ + Helper method that can create a token for you. + These urls will be excluded from the CSRF token check when receving a POST request.