Update: CSRF by disallowing simple requests

[jackevans43]

What is missing or needs to be updated?

For CSRF mitigations, should a section be included to suggest for modern APIs that don't use forms, that the API denies simple content types (application/x-www-form-urlencoded, multipart/form-data, text/plain) that would enforce CORS and mitigate CSRF?

How should this be resolved?

Add a section on configuring an API (or reverse proxy, API gateway) to disallow simple content-types

[birch-jayton]

I agree and want to throw in my two cents.

There is a section on Employing Custom Request Headers for AJAX/API. By having the API assert that there is a custom header in the request, you are also asserting that the request was not simple.

However, a custom header is not the only way to assert that a request is not simple. A content-type header of application/json also makes the request preflight and causes the request not to be simple (as you mention). JSON based applications are extremely common. If a client and server are already using json, having the API assert that content-type is application/json would (typically) require no extra work on the client whereas the custom header technique requires work on the client to ensure ALL requests being sent have that header.

IMO, "Disallow non-simple requests" would be a primary section and the existing Employing Custom Request Headers for AJAX/API section would be a subsection of that.

[mackowski]

@birch-jayton and @jackevans43 yes this section can be improved! There is also related issue #1216 do you want to work on that.