const classafSleepSafe::SameOriginGuard

sys::Obj
  afSleepSafe::SameOriginGuard : afSleepSafe::Guard

Guards against CSRF attacks by checking that the Referer or Origin HTTP header matches the Host.

The idea behind the same origin check is that standard form POST requests should originate from the same server. So the Referer and Origin HTTP headers are checked to ensure they match the server host. The Host parameter is determined from BedSheetServer.host() and is usually picked up from the BedSheetConfigIds.host config value.

Requests are also denied if neither the Referer and Origin HTTP header are present.

See Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet for details.

Ioc Configuration

afIocConfig Key	Value
`afSleepSafe.sameOriginWhitelist`	A CSV of alternative allowed origins.

Example:

@Contribute { serviceType=ApplicationDefaults# }
Void contributeAppDefaults(Configuration config) {
    config["afSleepSafe.sameOriginWhitelist"] = "http://domain1.com, http://domain2.com"
}

To configure the BedSheet host:

@Contribute { serviceType=ApplicationDefaults# }
Void contributeAppDefaults(Configuration config) {
    config["afBedSheet.host"] = `https://example.com`
}

To disable CSRF referrer checking, remove this class from the SleepSafeMiddleware configuration:

@Contribute { serviceType=SleepSafeMiddleware# }
Void contributeSleepSafeMiddleware(Configuration config) {
    config.remove(SameOriginGuard#)
}