🔒 use cookieless csrf protection for uncritical requests
This commit is contained in:
parent
3eb5826189
commit
82a49597d0
|
@ -1,9 +1,18 @@
|
|||
<?php
|
||||
declare(strict_types = 1);
|
||||
namespace Kimendisch\Sbgg_Jetzt;
|
||||
use Flake\Excuse;
|
||||
use Flake\Error;
|
||||
use Flake\Id64;
|
||||
|
||||
// CHECK CSRF PROTECTION //
|
||||
$x_cookieless_csrf_protection = getallheaders()["x-cookieless-csrf-protection"] ?? null;
|
||||
if($x_cookieless_csrf_protection !== "42"){
|
||||
// show an excuse page
|
||||
Excuse::show("invalid_csrf_token");
|
||||
}
|
||||
|
||||
|
||||
// DECODE REQUEST //
|
||||
// get json string
|
||||
$json_body = file_get_contents("php://input");
|
||||
|
|
|
@ -1,9 +1,18 @@
|
|||
<?php
|
||||
declare(strict_types = 1);
|
||||
namespace Kimendisch\Sbgg_Jetzt;
|
||||
use Flake\Excuse;
|
||||
use Flake\Error;
|
||||
use Flake\Id64;
|
||||
|
||||
// CHECK CSRF PROTECTION //
|
||||
$x_cookieless_csrf_protection = getallheaders()["x-cookieless-csrf-protection"] ?? null;
|
||||
if($x_cookieless_csrf_protection !== "42"){
|
||||
// show an excuse page
|
||||
Excuse::show("invalid_csrf_token");
|
||||
}
|
||||
|
||||
|
||||
// DECODE REQUEST //
|
||||
// get json string
|
||||
$json_body = file_get_contents("php://input");
|
||||
|
|
|
@ -1,8 +1,17 @@
|
|||
<?php
|
||||
declare(strict_types = 1);
|
||||
namespace Kimendisch\Sbgg_Jetzt;
|
||||
use Flake\Excuse;
|
||||
use Flake\Error;
|
||||
|
||||
// CHECK CSRF PROTECTION //
|
||||
$x_cookieless_csrf_protection = getallheaders()["x-cookieless-csrf-protection"] ?? null;
|
||||
if($x_cookieless_csrf_protection !== "42"){
|
||||
// show an excuse page
|
||||
Excuse::show("invalid_csrf_token");
|
||||
}
|
||||
|
||||
|
||||
// DECODE REQUEST //
|
||||
// get json string
|
||||
$json_body = file_get_contents("php://input");
|
||||
|
|
|
@ -56,6 +56,7 @@ async function newsletter_submit(){
|
|||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "/api/newsletter/subscribe", true);
|
||||
xhr.setRequestHeader("Content-Type", "application/json");
|
||||
xhr.setRequestHeader("x-cookieless-csrf-protection", "42");
|
||||
xhr.send(JSON.stringify({
|
||||
mail_address: mail_address,
|
||||
verify_key: verify_key
|
||||
|
|
|
@ -56,6 +56,7 @@ async function newsletter_submit(){
|
|||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "/api/newsletter/unsubscribe", true);
|
||||
xhr.setRequestHeader("Content-Type", "application/json");
|
||||
xhr.setRequestHeader("x-cookieless-csrf-protection", "42");
|
||||
xhr.send(JSON.stringify({
|
||||
mail_address: mail_address,
|
||||
unsubscribe_key: unsubscribe_key
|
||||
|
|
|
@ -192,6 +192,7 @@ async function newsletter_submit(){
|
|||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "/api/newsletter/verify", true);
|
||||
xhr.setRequestHeader("Content-Type", "application/json");
|
||||
xhr.setRequestHeader("x-cookieless-csrf-protection", "42");
|
||||
xhr.send(JSON.stringify({
|
||||
mail_address: mail_address,
|
||||
language: language
|
||||
|
|
Loading…
Reference in New Issue