p5.js-web-editor

Commit Graph

Author	SHA1	Message	Date
Andrew Nicolaou	6cbc376d6e	CSRF/XSS protection (#374 ) * /api endpoints only allows requests with application/json Content-Type Otherwise sends 406 Unacceptable * Uses CSRF token The CSRF token is sent as the cookie 'XSRF-TOKEN' on all HTML page requests. This token is picked up automatically by axios and sent to the API with all requests as an 'X-XSRF-TOKEN' header. The middleware runs on all routes and verifies that the token matches what's stored in the session.	2017-06-26 13:58:58 -04:00

Author

SHA1

Message

Date

Andrew Nicolaou

6cbc376d6e

CSRF/XSS protection (#374 )

* /api endpoints only allows requests with application/json Content-Type

Otherwise sends 406 Unacceptable

* Uses CSRF token

The CSRF token is sent as the cookie 'XSRF-TOKEN' on all HTML page
requests. This token is  picked up automatically by axios
and sent to the API with all requests as an 'X-XSRF-TOKEN' header.
The middleware runs on all routes and verifies that the token matches
what's stored in the session.

2017-06-26 13:58:58 -04:00

1 Commits