Add CSRF protection by Shane32 · Pull Request #1138 · graphql-dotnet/server
Navigation Menu
{{ message }}
graphql-dotnet / server Public
- Notifications You must be signed in to change notification settings
- Fork 165
Conversation
Copy link
Member
Requires CORS preflight requests by ensuring that the requests are not 'simple' - e.g. GET request or form-POST requests - or that a specific header has been added to the request.
See similar logic: https://www.apollographql.com/docs/apollo-server/security/cors/#preventing-cross-site-request-forgery-csrf
The chosen default header was based on the current proposal by the GraphQL working group. See:
Shane32 added 8 commits
August 3, 2024 13:02Shane32 added 2 commits
August 3, 2024 15:14
Shane32
requested a review
from gao-artur
github-advanced-security bot found potential problems Aug 3, 2024
Comment on lines +510 to +514
| foreach (var header in _options.CsrfProtectionHeaders) | ||
| { | ||
| if (context.Request.Headers.TryGetValue(header, out var values) && values.Count > 0 && values[0]?.Length > 0) | ||
| return false; | ||
| } |
Check notice
Code scanning / CodeQL
Missed opportunity to use Where
This foreach loop [implicitly filters its target sequence](1) - consider filtering the sequence explicitly using '.Where(...)'.
gao-artur reviewed Aug 3, 2024
tests/Transports.AspNetCore.Tests/Middleware/GetTests.cs
Outdated
Show resolved
Hide resolved
tests/Transports.AspNetCore.Tests/Middleware/GetTests.cs Outdated Show resolved Hide resolved
gao-artur approved these changes Aug 3, 2024
Shane32
merged commit
23b5829
into
develop
Shane32
deleted the
csrf
branch
dependabot
bot
mentioned this pull request
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment