Welcome Guest, Not a member yet? Register   Sign In
Forbidden 403? CSRF!
#1

(This post was last modified: 02-04-2021, 03:24 AM by blaasvaer.)

Hi, I've been creative and created a 'dynamic' API (http:// … /<resource>/<optional id>) which work great.

My problem is, that when I try to add resources by POSTing (or update using PUT), I get a 403 forbidden. Now, according to the docs I'm trying to enable CRSF in Filters, add whitelist urls ... something like this:

Code:
public $globals = [
'before' => [
'csrf' => ['except' => ['api/record/save']]
]


Now, it defeats the whole point of having a 'dynamic' API if I have to manually add exceptions in filters afterwards.

Now, HOW would I make it possible to use PUT and POST in this case to avoid errors like the above.

NOTE: the application is "frontend" ONLY, I don't use CI for generating any type of visual output (forms etc.), so the csrf_methods are probably out of the question ... the user is validated by being logged in. So, only logged in users can create and update stuff. But I basically need to remove url exceptions from the loop.

Hmm, maybe disabling the CSRF completely will do?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB