user2066880
Reputation: 5024
Do I need to enable CSRF protection?
If none of the POST endpoints in my API server consume application/x-www-form-urlencoded or multipart/form-data, do I need to be concerned about CSRF? From my understanding, CSRF can only be executed through form-backed POST requests. Any other kind of request requires the use of XMLHttpRequest, which won't go through because of the same origin policy.
Upvotes: 2
Views: 67
Answers (1)
Benjamin Gruenbaum
Reputation: 276596
Sure, you can send JSON from forms in modern browsers. So everything that applies to application/x-www-form-encoded applies equally as much to other form data encoding types.
Moreoever - there is no guarantee support for more types won't be added in the future so there's always that.
Upvotes: 1
Related Questions
- Is CSRF Protection necessary on a sign-up form?
- Do I need a CSRF token for jQuery .ajax()?
- Do i have to use csrf protection in React SPA?
- CSRF only needed for ajax
- Do I need csrf tokens after login?
- CSRF and Ajax: Do I need protection?
- CSRF protection with javascript?
- No need for CSRF protection?
- Is this all that needs to be done to prevent CSRF with PHP and Ajax?
- Are Ajax requests CSRF safe?