CSRF token

Cloverleaf API enables the CSRF token to avoid cross-site request forgery attacks. It requests that each invocation that is not a GET API invocation needs to have CSRF TOKEN in the header.

The CSRF token value is returned with JSON format by the response.

Users must invoke a new /api/security/csrf API with the session ID. This is saved in a cookie after log-in, to get the CSRF TOKEN for that session. This returns {"csrf" : "csrf_token_value"}.

The CSRF token cookie is http-only. This indicates that Javascript cannot read the cookie.

CLAPI does not save the CSRF token into a cookie; instead, it provides an API to get the CSRF token.

The client calls the new API to get the CSRF token, caches it in memory, and sends it as X-CSRF-TOKEN with the request.