Skip to content
Permalink
Browse files

Added basic protection against CSRF to API andpoints

  • Loading branch information...
sergeychernyshev committed Mar 24, 2019
1 parent 3704847 commit bc50e8c6df01d9a2ed77c31974a14e7db9e0fdc5
Showing with 17 additions and 1 deletion.
  1. +13 −0 api.php
  2. +4 −1 themes/awesome/templates/swagger-ui.html.twig
13 api.php
@@ -120,6 +120,19 @@
header('Content-type: application/json');
try {
if ($_SERVER['REQUEST_METHOD'] !== "GET") {
$found_CSRF_header = false;
foreach (getallheaders() as $header => $value) {
if (strtolower($header) === 'x-csrf-token') {
$found_CSRF_header = true;
}
}
if (!$found_CSRF_header) {
throw new \StartupAPI\API\UnauthenticatedException("Missing X-CSRF-token header");
}
}
$endpoint = \StartupAPI\API\Endpoint::getEndpoint($_SERVER['REQUEST_METHOD'], $_GET['call']);
// default output format is JSON
@@ -26,7 +26,10 @@ window.onload = function() {
plugins: [
SwaggerUIBundle.plugins.DownloadUrl
],
layout: "StandaloneLayout"
layout: "StandaloneLayout",
requestInterceptor: function(a) {
this.headers['X-CSRF-token'] = "not a real token, but a placeholder";
}
})
window.ui = ui

0 comments on commit bc50e8c

Please sign in to comment.
You can’t perform that action at this time.