const classafSleepSafe::SameOriginGuard

sys::Obj
  afSleepSafe::SameOriginGuard : afSleepSafe::Guard

Guards against CSRF attacks by checking that the Referer or Origin HTTP header matches the Host.

The idea behind the same origin check is that standard form POST requests should originate from the same server. So the Referer and Origin HTTP headers are checked to ensure they match the server host. The Host parameter is determined from BedSheetServer.host() and is usually picked up from the BedSheetConfigIds.host config value.

Requests are also denied if neither the Referer nor Origin HTTP header are present.

See Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet for details.

Ioc Configuration

SameOriginGuard is disabled by default as a referrer policy is preferred. For if a no-referrer policy is enforced (either explicitly or as an older browser fall back) then, more than likely, this guard will fail!

To enable, contribute this class to the SleepSafeMiddleware configuration:

@Contribute { serviceType=SleepSafeMiddleware# }
Void contributeSleepSafeMiddleware(Configuration config) {
    config[SameOriginGuard#] = config.build(SameOriginGuard#)
}

Then to configure an origin whitelist:

afIocConfig Key

Value

afSleepSafe.sameOriginWhitelist

A CSV of alternative allowed origins.

Example:

@Contribute { serviceType=ApplicationDefaults# }
Void contributeAppDefaults(Configuration config) {
    config["afSleepSafe.sameOriginWhitelist"] = "http://domain1.com, http://domain2.com"
}

To configure the BedSheet host:

@Contribute { serviceType=ApplicationDefaults# }
Void contributeAppDefaults(Configuration config) {
    config["afBedSheet.host"] = `https://example.com`
}