libzeep

PrevUpHomeNext

CSRF protection

The security_context class contains some rudimentary support for protecting against CSRF attacks. The way it works is that the server class add a special csrf-token cookie to a session. This cookie is stored in the browser with the flags SameSite=Lax and HttpOnly which makes it unavailable to malicious scripts that might have been injected in your pages. If a value has been set to this cookie and the security_context class has the set_validate_csrf flag set, each POST or SUBMIT will be checked if there is a _csrf parameter and this should contain the same value as the csrf-token cookie.

So, to use this functionality, call the set_validate_csrf method on a newly created security_context instance. Next you should make sure each form or POST call should contain a _csrf parameter with the value stored in the session cookie csrf-token. This value can be obtained by calling zeep::http::context::get_csrf_token.


PrevUpHomeNext