Is it possible to disable CSRF checks for certain resources/endpoints? #200
Comments
|
You can disable CSRF token verification for non-forms with the You can also achieve CSRF token verification using an HTTP header for those APIs. Does this help? |
|
@FroMage it did help, indeed. I took some time to check if the CSRF tokens are still required where they should be (and they were), so I guess, this issue can be closed. However, it opens up an interesting point about documenting it. I checked the entire Renarde documentation and found no mention of it, so I believe it is worth of adding it to the Security page. Should I open a PR? |
|
Yes, that'd be great, thanks :) |
|
Any news on a documentation regarding those configuration options? |
|
No update yet, but I'd merge any PR that comes my way :) |
One of our applications uses Renarde and there are several controllers that inherit ffrom
@Controller, as well as others that should serve as plain REST API endpoints. While I understand the security concerns, these endpoints really don't need this extra layer, as we really only use them internally. I even explicitly annotate endpoints with@Producesand@Consumesto indicate that we are not talking about a controller action, but a plain REST endpoint.However, the CSRF check would kick in everywhere and would require me to dig in for a CSRF token. Not only that, but if you add DEBUG logging you'll see this in the logs:
which makes no sense to me - my request is perfectly fine. It is the CSRF filter that is out of place here.
Anyway, is there a way to disable the filter for certain resources/endpoints? Also, correct me if I am wrong, but this is not the case in a vanilla Quarkus application - only if I add Renarde on top (which, I assume is because if pulls in the CSRF module dependency).
The text was updated successfully, but these errors were encountered: