![]() |
The security_context
class contains some rudimentary support for protecting against CSRF
attacks. The way it works is that the server class add a special
csrf-token
cookie to a session. This cookie is stored in the
browser with the flags SameSite=Lax
and HttpOnly
which makes it unavailable to malicious scripts that might have been injected
in your pages. If a value has been set to this cookie and the security_context
class has the set_validate_csrf
flag set, each POST
or SUBMIT
will be checked if there is a _csrf
parameter
and this should contain the same value as the csrf-token
cookie.
So, to use this functionality, call the set_validate_csrf
method on a newly created security_context
instance. Next you should make sure each form or POST
call should
contain a _csrf
parameter with the value stored in the session
cookie csrf-token
. This value can be obtained by calling zeep::http::context::get_csrf_token
.