Skip to content

Add CSRF protection #1138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Shane32 merged 11 commits into from
Aug 3, 2024
Merged

Add CSRF protection #1138

Shane32 merged 11 commits into from
Aug 3, 2024

Conversation

@Shane32
Copy link
Member

@Shane32 Shane32 commented Aug 3, 2024
edited
Loading

Requires CORS preflight requests by ensuring that the requests are not 'simple' - e.g. GET request or form-POST requests - or that a specific header has been added to the request.

See similar logic: https://www.apollographql.com/docs/apollo-server/security/cors/#preventing-cross-site-request-forgery-csrf

The chosen default header was based on the current proposal by the GraphQL working group. See:

@Shane32 Shane32 added the enhancement New feature or request label Aug 3, 2024
@Shane32 Shane32 added this to the 8.0 milestone Aug 3, 2024
@Shane32 Shane32 self-assigned this Aug 3, 2024
@Shane32 Shane32 linked an issue Aug 3, 2024 that may be closed by this pull request
Add CSRF protection #1086
Closed
@Shane32 Shane32 requested a review from gao-artur August 3, 2024 19:16
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 3, 2024
View reviewed changes
src/Transports.AspNetCore/GraphQLHttpMiddleware.cs
Comment on lines +510 to +514
foreach (var header in _options.CsrfProtectionHeaders)
{
if (context.Request.Headers.TryGetValue(header, out var values) && values.Count > 0 && values[0]?.Length > 0)
return false;
}

Check notice

Code scanning / CodeQL

Missed opportunity to use Where

This foreach loop [implicitly filters its target sequence](1) - consider filtering the sequence explicitly using '.Where(...)'.
gao-artur
gao-artur reviewed Aug 3, 2024
View reviewed changes
@Shane32 Shane32 merged commit 23b5829 into develop Aug 3, 2024
@Shane32 Shane32 deleted the csrf branch August 3, 2024 20:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gao-artur gao-artur gao-artur approved these changes

Assignees

@Shane32 Shane32

Labels

enhancement New feature or request

Projects

None yet

Milestone

8.0

Development

Successfully merging this pull request may close these issues.

Add CSRF protection

3 participants

@Shane32 @gao-artur