mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-09-19 16:06:32 +02:00
c1cda2b113
* DOCS: Add new graphql 4 docs * Reorganise docs * Docs done * Basic graphql index page * TOC for getting started * show folders on graphql index page * Add middleware note * Docs update * Update docs to reflect flushless schema * Docs updates * Docs for getByLink * Query caching docs * Docs on nested operations * update docs for new graphql dev admin * Docs for configurable operations * Replace readSiteTrees with readPages * Schema defaults docs * Docs for inherited plugins * Docs for customising * * Docs for field whitelisting * Change whitelist word * New docs on modelConfig * Document dev/build extension * Document default/global plugins * Document new input type fields config * Apply suggestions from code review Co-authored-by: Andre Kiste <bergice@users.noreply.github.com> * Note about when procedural schema gets built * Fix link * Apply suggestions from code review Co-authored-by: Andre Kiste <bergice@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Andre Kiste <bergice@users.noreply.github.com> * DOCS Note about plugins in custom queries * DOCS Note about filter and custom resolvers * DOCS Note about canview paging * DOCS Updated guidance on _extend See https://github.com/silverstripe/silverstripe-graphql/issues/296 * Apply suggestions from code review Co-authored-by: Andre Kiste <bergice@users.noreply.github.com> * DOCS Pre-release warning Co-authored-by: Ingo Schommer <ingo@silverstripe.com> Co-authored-by: Andre Kiste <bergice@users.noreply.github.com> Co-authored-by: Ingo Schommer <me@chillu.com>
53 lines
2.2 KiB
Markdown
53 lines
2.2 KiB
Markdown
---
|
|
title: CSRF protection
|
|
summary: Protect destructive actions from cross-site request forgery
|
|
---
|
|
# Security & best practices
|
|
|
|
[CHILDREN asList]
|
|
|
|
[alert]
|
|
You are viewing docs for a pre-release version of silverstripe/graphql (4.x).
|
|
Help us improve it by joining #graphql on the [Community Slack](https://www.silverstripe.org/blog/community-slack-channel/),
|
|
and report any issues at [github.com/silverstripe/silverstripe-graphql](https://github.com/silverstripe/silverstripe-graphql).
|
|
Docs for the current stable version (3.x) can be found
|
|
[here](https://github.com/silverstripe/silverstripe-graphql/tree/3)
|
|
[/alert]
|
|
|
|
## CSRF tokens (required for mutations)
|
|
|
|
Even if your graphql endpoints are behind authentication, it is still possible for unauthorised
|
|
users to access that endpoint through a [CSRF exploitation](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)). This involves
|
|
forcing an already authenticated user to access an HTTP resource unknowingly (e.g. through a fake image), thereby hijacking the user's
|
|
session.
|
|
|
|
In the absence of a token-based authentication system, like OAuth, the best countermeasure to this
|
|
is the use of a CSRF token for any requests that destroy or mutate data.
|
|
|
|
By default, this module comes with a `CSRFMiddleware` implementation that forces all mutations to check
|
|
for the presence of a CSRF token in the request. That token must be applied to a header named` X-CSRF-TOKEN`.
|
|
|
|
In SilverStripe, CSRF tokens are most commonly stored in the session as `SecurityID`, or accessed through
|
|
the `SecurityToken` API, using `SecurityToken::inst()->getValue()`.
|
|
|
|
Queries do not require CSRF tokens.
|
|
|
|
### Disabling CSRF protection (for token-based authentication only)
|
|
|
|
If you are using HTTP basic authentication or a token-based system like OAuth or [JWT](https://github.com/Firesphere/silverstripe-graphql-jwt),
|
|
you will want to remove the CSRF protection, as it just adds unnecessary overhead. You can do this by setting
|
|
the middleware to `false`.
|
|
|
|
|
|
```yaml
|
|
SilverStripe\GraphQL\QueryHandler\QueryHandlerInterface.default:
|
|
class: SilverStripe\GraphQL\QueryHandler\QueryHandler
|
|
properties:
|
|
Middlewares:
|
|
csrf: false
|
|
```
|
|
|
|
### Further reading
|
|
|
|
[CHILDREN]
|