const classafSleepSafe::SameOriginGuard
sys::Obj afSleepSafe::SameOriginGuard : afSleepSafe::Guard
Guards against CSRF attacks by checking that the Referer
or Origin
HTTP header matches the Host
.
The idea behind the same origin check is that standard form POST requests should originate from the same server. So the Referer
and Origin
HTTP headers are checked to ensure they match the server host. The Host
parameter is determined from BedSheetServer.host() and is usually picked up from the BedSheetConfigIds.host
config value.
Requests are also denied if neither the Referer
nor Origin
HTTP header are present.
See Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet for details.
Ioc Configuration
SameOriginGuard
is disabled by default as a referrer policy is preferred. For if a no-referrer
policy is enforced (either explicitly or as an older browser fall back) then, more than likely, this guard will fail!
To enable, contribute this class to the SleepSafeMiddleware
configuration:
@Contribute { serviceType=SleepSafeMiddleware# } Void contributeSleepSafeMiddleware(Configuration config) { config[SameOriginGuard#] = config.build(SameOriginGuard#) }
Then to configure an origin whitelist:
afIocConfig Key | Value |
---|---|
| A CSV of alternative allowed origins. |
Example:
@Contribute { serviceType=ApplicationDefaults# } Void contributeAppDefaults(Configuration config) { config["afSleepSafe.sameOriginWhitelist"] = "http://domain1.com, http://domain2.com" }
To configure the BedSheet host:
@Contribute { serviceType=ApplicationDefaults# } Void contributeAppDefaults(Configuration config) { config["afBedSheet.host"] = `https://example.com` }