Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF prevention by requiring a custom header in GET requests #2157

Closed
Tracked by #1358
enisdenjo opened this issue Nov 23, 2022 · 0 comments · Fixed by #2292
Closed
Tracked by #1358

CSRF prevention by requiring a custom header in GET requests #2157

enisdenjo opened this issue Nov 23, 2022 · 0 comments · Fixed by #2292
Assignees
@enisdenjo

Comments

@enisdenjo
Copy link
Collaborator

Implement a "CORS check guarantee" through a Yoga plugin. If you have CORS enabled, almost all requests coming from the browser will have a preflight request - however, some requests are deemed "simple" and don't make a preflight. One example of such a request is a good ol' GET request without any headers, this request can be marked as "simple" and have preflight CORS checks skipped therefore skipping the CORS check.

This attack can be mitigated by saying: "all GET requests must have a custom header set". This would force all clients to manipulate the headers of GET requests, marking them as "_not-_simple" and therefore always executing a preflight request.

Apollo does this when using the csrfPrevention = true option.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@enisdenjo enisdenjo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

CSRF prevention plugin dotansimha/graphql-yoga
1 participant
@enisdenjo