csrf-protection icon indicating copy to clipboard operation
csrf-protection copied to clipboard

Published 20 hours ago verified publisher icon fastify

csrfProtection() should ignore GET/HEAD/OPTIONS

Open johaven opened this issue 1 year ago • 1 comments

Prerequisites

  • [X] I have written a descriptive issue title
  • [X] I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.28.1

Plugin version

7.0.0

Node.js version

20.x

Operating system

macOS

Operating system version (i.e. 20.04, 11.3, 10)

14.7

Description

Only HTTP methods that make changes to resources should be protected.

Most frameworks (like Angular) do not send the csrf token in request headers for GET/HEAD/OPTIONS methods.

// protect the fastify instance
fastify.addHook('onRequest', fastify.csrfProtection)

In this particular case (from the documentation), the instance is protected, GET and other methods may be denied.

Take a look here: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#javascript-automatically-including-csrf-tokens-as-an-ajax-request-header

Perhaps an option to define ignored methods (the ones mentioned by default) would be nice and less blocking.

johaven avatar Oct 11 '24 12:10 johaven

Thanks for reporting! Would you like to send a Pull Request to address this issue? Remember to add unit tests.

mcollina avatar Oct 12 '24 10:10 mcollina

Closing. See https://github.com/fastify/csrf-protection/pull/167#issuecomment-2408720137

Fdawgs avatar Aug 14 '25 19:08 Fdawgs