mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2026-06-23 04:10:17 +00:00
Erik Michelson
66d052d611
This adds a new endpoint /api/private/csrf/token which serves a CSRF-token that is stored in the user's session. Following requests with POST, PUT, PATCH or DELETE request methods, need to provide this token in the CSRF-Token header. Since this is not possible to do via HTML forms or other cross-site effects, this prevents cross-site attacks. The frontend loads the CSRF token on app initialization and stores it in the redux. It keeps using the token for up to one hour and then updates the stored token from the API endpoint again. Signed-off-by: Erik Michelson <github@erik.michelson.eu>