sanic-wtf

sanic-wtf copied to clipboard

Hi there. Can someone tell me how to add csrf token on an ajax request i tried adding a "X-CSRF-TOKEN" header. But it still shows "CSRF token missing"

Unless you've changed it, the default name should be: "csrf_token".

Also, you have to send it as a form encoded request not JSON. The whole point of CSRF tokens is that they should be rendered server side. So, if you have a form rendered with sth like jinja, then you shouldn't really need to manually send the token.

Remember you can always disable csrf checking by setting WTF_CSRF_ENABLED to False.

Hope that helps :)

Hi @omarryhan Thanks for the reply. Just a few follow up questions here. If we're going to render the csrf token in the server side. Then whats the proper way of implementing csrf protection in ajax requests. Please remember that i'm using ReactJs for my front-end. And also are there ways to use HttpOnly Cookies to store csrf tokens instead of session.

Hi @omarryhan sorry for misunderstanding csrf. I saw a blog that shows a stateless way of implementing CSRF (https://blog.jdriven.com/2014/10/stateless-spring-security-part-1-stateless-csrf-protection/). Anyway the csrf token used here in this package i think is in a statefull way that uses session. Thanks for the help.