-
Notifications
You must be signed in to change notification settings - Fork 8.2k
/
xsrf.js
23 lines (18 loc) · 709 Bytes
/
xsrf.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import { badRequest } from 'boom';
export default function (kbnServer, server, config) {
const disabled = config.get('server.xsrf.disableProtection');
const versionHeader = 'kbn-version';
const xsrfHeader = 'kbn-xsrf';
server.ext('onPostAuth', function (req, reply) {
if (disabled) {
return reply.continue();
}
const isSafeMethod = req.method === 'get' || req.method === 'head';
const hasVersionHeader = versionHeader in req.headers;
const hasXsrfHeader = xsrfHeader in req.headers;
if (!isSafeMethod && !hasVersionHeader && !hasXsrfHeader) {
return reply(badRequest(`Request must contain a ${xsrfHeader} header.`));
}
return reply.continue();
});
}