class Rack::Protection::JsonCsrf
- even on GET requests if the content type is JSON.
Array prototype has been patched to track data. Checks the referrer
JSON GET APIs are volnurable to being embedded as JavaScript while the
More infos - flask.pocoo.org/docs/security/#json-security<br>Supported browsers
- all
Prevented attack -
CSRF
#
- all
def call(env)
def call(env) status, headers, body = app.call(env) if headers['Content-Type'].to_s.split(';', 2).first.strip == 'application/json' result = react(env) if referrer(env) != Request.new(env).host end result or [status, headers, body] end