const classafSleepSafe::SameOriginGuard
sys::Obj afSleepSafe::SameOriginGuard : afSleepSafe::Guard
Guards against CSRF attacks by checking that the Referer
or Origin
HTTP header matches the Host
.
The idea behind the same origin check is that standard form POST requests should originate from the same server. So the Referer
and Origin
HTTP headers are checked to ensure they match the server host. The Host
parameter is determined from BedSheetServer.host() and is usually picked up from the BedSheetConfigIds.host
config value.
Requests are also denied if neither the Referer
and Origin
HTTP header are present.
See Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet for details.
Ioc Configuration
afIocConfig Key | Value |
---|---|
| A CSV of alternative allowed origins. |
Example:
@Contribute { serviceType=ApplicationDefaults# } Void contributeAppDefaults(Configuration config) { config["afSleepSafe.sameOriginWhitelist"] = "http://domain1.com, http://domain2.com" }
To configure the BedSheet host:
@Contribute { serviceType=ApplicationDefaults# } Void contributeAppDefaults(Configuration config) { config["afBedSheet.host"] = `https://example.com` }
To disable CSRF referrer checking, remove this class from the SleepSafeMiddleware
configuration:
@Contribute { serviceType=SleepSafeMiddleware# } Void contributeSleepSafeMiddleware(Configuration config) { config.remove(SameOriginGuard#) }