You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by rnewson <gi...@git.apache.org> on 2015/08/01 18:37:47 UTC

[GitHub] couchdb-couch pull request: Add CSRF protection

Github user rnewson commented on the pull request:

    https://github.com/apache/couchdb-couch/pull/80#issuecomment-126935884
  
    I've revised this and removed the coupling with the session cookie. 
    
    A client that does not currently have a CouchDB-CSRF cookie can add X-CouchDB-CSRF: true to their request and will receive one. They must then send the cookie's value in the X-CouchDB-CSRF header for their request to succeed.
    
    The CSRF token check occurs before authentication so you can acquire the CSRF token immediately (perhaps when fetching the welcome message from /).
    
    The token will expire from time to time (same duration as the session cookie but without the automatic extension), so clients should do broadly this;
    
    if (hasCookie("CouchDB-CSRF")) {
      setRequestHeader("X-CouchDB-CSRF", cookieValue("CouchDB-CSRF");
    } else {
      setRequestHeader("X-CouchDB-CSRF", "true");
    }


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---