ciphera-net/pulse
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 15 Wiki Activity

security: send X-CSRF-Token on all state-changing API requests (F-01)

Browse Source
This commit is contained in:
Usman Baig
2026-03-11 21:54:24 +01:00
parent 8136268988
commit c2d5935394
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/api/client.ts
View File

@@ -202,9 +202,9 @@ async function apiRequest<T>(
// * We rely on HttpOnly cookies, so no manual Authorization header injection.
// * We MUST set credentials: 'include' for the browser to send cookies cross-origin (or same-site).
// * Add CSRF token for state-changing requests to Auth API
// * Auth API uses Double Submit Cookie pattern for CSRF protection
if (isAuthRequest && isStateChangingMethod(method)) {
// * Add CSRF token for all state-changing requests (Pulse API and Auth API).
// * Both backends enforce the double-submit cookie pattern server-side.
if (isStateChangingMethod(method)) {
const csrfToken = getCSRFToken()
if (csrfToken) {
headers['X-CSRF-Token'] = csrfToken