spektr icon indicating copy to clipboard operation
spektr copied to clipboard
verified publisher icon gregmolnar

False positive on API call using JWT

Open emilianodellacasa opened this issue 2 months ago • 1 comments

Hey Greg,

I have been scanning a project of mine using spektr and it's giving what at first sight seems to me a false positive.

This is the text of the warning

Name: Cross-Site Request Forgery
Description: protect_from_forgery should be enabled
Path: app/controllers/api/v1/availables_controller.rb
Location: 
Code: 
Fingerprint: 499cb76d380f840970dafe01a9147684

As you see from the path it is an API call, and it is protected by a JWT authentication.

As for my understanding, protect_from_forgery is not needed for API calls with JWY and Bearer Token, as there is no cookie exchanged involved, is it correct?

For the moment I added the fingerprints to ignore, but I was wondering if it is the right approach or is there a better way to deal with it.

As usual, thanks for your outstanding job!

emilianodellacasa avatar Oct 20 '25 13:10 emilianodellacasa

Hi @emilianodellacasa This is a false positive indeed, I will check how to handle it. I am in the middle of migrating the gem to prism, once that's done, I will sort this one out as well. Thanks for reporting!

gregmolnar avatar Oct 21 '25 07:10 gregmolnar