Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to selectively disable CSRF check in Phoenix framework

Tags:

csrf

elixir

phoenix-framework

csrf-protection

I'm trying to create a Facebook Page Tab which points to my website. Facebook sends a HTTP POST request to the url of my website. The problem here is that the server has a built-in CSRF check, and it returns the following error:

(Plug.CSRFProtection.InvalidCSRFTokenError) invalid CSRF (Cross Site  Forgery Protection) token, make sure all requests include a '_csrf_token' param or an 'x-csrf-token' header`

The server expects a CSRF token that Facebook can't have. So, I want to selectively disable CSRF for the path www.mywebsite.com/facebook.

How can I do it in Phoenix Framework?

like image 955
N. Sola Avatar asked Sep 15 '15 08:09

N. Sola

People also ask

How do I disable CSRF?

You can disable CSRF protection by setting the csrf. protection. enabled system configuration item to the value false. This can be done via REST API.

When should I disable CSRF?

Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

How do I know if CSRF is enabled?

Automated Tools for CSRF testingBright's CSRF test first checks if there is any CSRF protection implemented, by checking if the target has “Access-Control-Allow-Origin” header misconfiguration or missing “Origin” header.

How do I disable CSRF in Postman?

Change the setting "AntiForgeryEnabled": true to "AntiForgeryEnabled": false and your Postman requests should work again. Note that you only get the http 500 error on POST, PUT and DELETE requests.

1 Answers

The Plug.CSRFProtection is enabled in your router with protect_from_forgery. This is set by default in the browser pipeline. Once a plug has been added, there is no way to disable it, instead it has to be not set in the first place. You can do this by moving it out of browser and only including it when it is required.

defmodule Foo.Router do
  use Foo.Web, :router

  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_flash
    #plug :protect_from_forgery - move this
  end

  pipeline :csrf do
    plug :protect_from_forgery # to here
  end

  pipeline :api do
    plug :accepts, ["json"]
  end

  scope "/", Foo do
    pipe_through [:browser, :csrf] # Use both browser and csrf pipelines

    get "/", PageController, :index
  end

  scope "/", Foo do
    pipe_through :browser # Use only the browser pipeline

    get "/facebook", PageController, :index #You can use the same controller and actions if you like
  end

end
like image 146
Gazler Avatar answered Oct 06 '22 07:10

Gazler
Sign in to Comment

Related questions

Is it possible to stub(mock?) Ecto.UUID.generate in an ExUnit test?
When to use compile-only dependencies in Elixir
Ecto creating unique index failed for Mysql/Mariadb
What is syntax for byte_size in pattern matching?
Postgres health check in Elixir
Elixir reduce order of elements
Is there a way to explicitly write a elixir function to be tail call optimised?
Fragments reuse
Unix Domain Sockets in Elixir
In a Phoenix Framework form, how can I set a belongs_to relation back to null using a changeset?
elixir - phoenix:undefined function Hex.SCM.managers
Phoenix framework & passing conn
Errors like "Phoenix.HTML.Engine.init/1 is undefined or private" and "Plug.Conn.__struct__/1 is undefined" after upgrading Elixir
Mix.env/0 equivalent in production env?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!