Skip to content

Commit

Permalink
Merge pull request #283 from saschaszott/patch-8
Browse files Browse the repository at this point in the history
/api/security/csrf: better explain impact on perfomance degradation
  • Loading branch information
tdonohue authored Aug 27, 2024
2 parents 94d81f1 + 14e2ac8 commit 5773d69
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion csrf-tokens.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ A `GET` endpoint is also available to force a CSRF token refresh. See below.

### GET /api/security/csrf

Provides a new CSRF Token to the client for usage in later requests. This endpoint SHOULD BE USED SPARINGLY as every call to this endpoint will create a new CSRF token. The DSpace REST API automatically manages CSRF tokens and sends them back to the client _only when the token needs to be changed_ (e.g. on login/logout, etc). Using this endpoint to refresh CSRF tokens frequently may result in unexpected behaviors or even performance issues. The primary purpose of this endpoint is to obtain the *first* CSRF token (if not yet sent by the REST API).
Provides a new CSRF Token to the client for usage in later requests. This endpoint SHOULD BE USED SPARINGLY as every call to this endpoint will create a new CSRF token. The DSpace REST API automatically manages CSRF tokens and sends them back to the client _only when the token needs to be changed_ (e.g. on login/logout, etc). Using this endpoint to refresh CSRF tokens frequently may result in unexpected behaviors or even performance issues on the client side. The primary purpose of this endpoint is to obtain the *first* CSRF token (if not yet sent by the REST API).

This endpoint returns an empty response with the newly generated CSRF Token in the `DSPACE-XSRF-TOKEN` HTTP Header. It will also save this CSRF Token to the `DSPACE-XSRF-COOKIE` server-side Cookie, for later verification. See [How does CSRF protection work in DSpace REST API?](#how-does-csrf-protection-work-in-dspace-rest-api) below for more details about this header and cookie.

Expand Down

0 comments on commit 5773d69

Please sign in to comment.