const classafSleepSafe::SameOriginGuard

  afSleepSafe::SameOriginGuard : afSleepSafe::Guard

Guards against CSRF attacks by checking that the Referer or Origin HTTP header matches the Host.

The idea behind the same origin check is that standard form POST requests should originate from the same server. So the Referer and Origin HTTP headers are checked to ensure they match the server host. The Host parameter is determined from and is usually picked up from the config value.

Requests are also denied if neither the Referer and Origin HTTP header are present.

See Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet for details.

Ioc Configuration

afIocConfig Key



A CSV of alternative allowed origins.


@Contribute { serviceType=ApplicationDefaults# }
Void contributeAppDefaults(Configuration config) {
    config["afSleepSafe.sameOriginWhitelist"] = ","

To configure the BedSheet host:

@Contribute { serviceType=ApplicationDefaults# }
Void contributeAppDefaults(Configuration config) {
    config[""] = ``

To disable CSRF referrer checking, remove this class from the SleepSafeMiddleware configuration:

@Contribute { serviceType=SleepSafeMiddleware# }
Void contributeSleepSafeMiddleware(Configuration config) {