Schlemmer
Andrew Kushnir
parent
98515e1ecf
commit
036294d566
|
|
@ -900,7 +900,7 @@ by returning an observable of simulated events.
|
||||||
|
|
||||||
[Cross-Site Request Forgery (XSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery) is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. `HttpClient` supports a [common mechanism](https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token) used to prevent XSRF attacks. When performing HTTP requests, an interceptor reads a token from a cookie, by default `XSRF-TOKEN`, and sets it as an HTTP header, `X-XSRF-TOKEN`. Since only code that runs on your domain could read the cookie, the backend can be certain that the HTTP request came from your client application and not an attacker.
|
[Cross-Site Request Forgery (XSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery) is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. `HttpClient` supports a [common mechanism](https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token) used to prevent XSRF attacks. When performing HTTP requests, an interceptor reads a token from a cookie, by default `XSRF-TOKEN`, and sets it as an HTTP header, `X-XSRF-TOKEN`. Since only code that runs on your domain could read the cookie, the backend can be certain that the HTTP request came from your client application and not an attacker.
|
||||||
|
|
||||||
By default, an interceptor sends this cookie on all mutating requests (POST, etc.)
|
By default, an interceptor sends this header on all mutating requests (POST, etc.)
|
||||||
to relative URLs but not on GET/HEAD requests or
|
to relative URLs but not on GET/HEAD requests or
|
||||||
on requests with an absolute URL.
|
on requests with an absolute URL.
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue