Roda 3.100.0 Released #410
jeremyevans
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Roda 3.100.0 has been released!
New Features
A sec_fetch_site_csrf plugin has been implemented, which implements
CSRF protection using the Sec-Fetch-Site header. This offers weaker
CSRF protection than the route_csrf plugin, but doesn't require CSRF
tokens in forms. Other caveats when using the plugin:
Not all browsers set the Sec-Fetch-Site header. Some popular
browsers did not add support until 2023.
Sec-Fetch-Site is only set on HTTPS requests, not on HTTP
requests, so if you need to support HTTP requests, you cannot
rely on it.
There is no support for cross-site secure CSRF protection by
sharing the token used.
Like the route_csrf plugin, the sec_fetch_site_csrf plugin exposes
a method (check_sec_fetch_site!) that you can call at the
appropriate point in your routing tree to enforce the CSRF
protection.
By default, only same-origin requests are allowed by default. Using
plugin options, you can support same-site or none requests, or
support requests where the header is not present.
For CSRF violations, the default is to raise an exception. You can
use plugin options to either return a blank 403 page or clear the
current session. You can also pass a block to either the plugin or
to the check_sec_fetch_site! method for custom handling.
Thanks,
Jeremy
Beta Was this translation helpful? Give feedback.
All reactions