mirror of
https://github.com/strapi/strapi.git
synced 2025-07-23 17:10:08 +00:00
36 lines
975 B
Markdown
36 lines
975 B
Markdown
|
---
|
||
|
|
title: CSRF
|
||
|
|
---
|
||
|
|
|
||
|
|
Cross Site Request Forgery (CSRF) is a type of attack which forces an end user to execute unwanted actions on a web application backend with which he/she is currently authenticated.
|
||
|
|
|
||
|
|
Strapi bundles optional CSRF protection out of the box.
|
||
|
|
|
||
|
|
## Configuration
|
||
|
|
|
||
|
|
Configuration:
|
||
|
|
|
||
|
|
- Key: `csrf`
|
||
|
|
- Environment: `development`
|
||
|
|
- Location: `./config/environments/development/security.json`
|
||
|
|
- Type: `object`
|
||
|
|
|
||
|
|
```js
|
||
|
|
{
|
||
|
|
"csrf": {
|
||
|
|
"key": "_csrf",
|
||
|
|
"secret": "_csrfSecret"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
Options:
|
||
|
|
|
||
|
|
- `key` (string): The name of the CSRF token added to the model. Defaults to `_csrf`.
|
||
|
|
- `secret` (string): The key to place on the session object which maps to the server side token. Defaults to `_csrfSecret`.
|
||
|
|
|
||
|
|
Notes:
|
||
|
|
|
||
|
|
- Set to `false` to disable CSRF headers.
|
||
|
|
- If you have existing code that communicates with your Strapi backend via `POST`, `PUT`, or `DELETE` requests, you'll need to acquire a CSRF token and include it as a parameter or header in those requests.
|