能否在sails.js中从CSRF中排除某些URL? [英] Can certain URLs be exempt from CSRF in sails.js?
问题描述
我正在设置Stripe与我的sails.js服务器一起使用,并且为了使用Stripe的webhooks,我需要为提供给Stripe的URL禁用CSRF。
I'm setting up Stripe to work with my sails.js server, and in order to use Stripe's webhooks, I need to disable CSRF for the URLs I provide to Stripe.
是否可以使sails.js中的某些URL免于CSRF POST要求?我可以找到的CSRF唯一配置是全局打开它,并查看csrf挂钩的源代码( https://github.com/balderdashy/sails/blob/master/lib/hooks/csrf/index.js ),如果我尝试提供一个自定义对象,无论如何它只会被全局设置替换。
Is it possible to make certain URLs exempt from CSRF POST requirements in sails.js? The only configuration I can find for CSRF is to turn it on globally, and looking through the source code for the csrf hook (https://github.com/balderdashy/sails/blob/master/lib/hooks/csrf/index.js) it looks like if I try to provide a custom object, it just gets replaced with the global settings anyway.
谢谢
推荐答案
因此,Murcho的解决方案正在工作,但实际上,sails v0.11仅具有一个配置文件:
So Murcho's solution is working but actually, sails v0.11 has a config file just for that :
在 config / csrf.js
,在激活csrf保护的行之后是此注释块:
In config/csrf.js
, after the line where you activate csrf protection lies this comments block :
/****************************************************************************
* *
* You may also specify more fine-grained settings for CSRF, including the *
* domains which are allowed to request the CSRF token via AJAX. These *
* settings override the general CORS settings in your config/cors.js file. *
* *
****************************************************************************/
// module.exports.csrf = {
// grantTokenViaAjax: true,
// origin: ''
// }
只需在其中添加一个配置对象即可扩展默认值:
You just need to add a config object there to extend the defaults :
module.exports.csrf = {
"routesDisabled": "/webhooks/testhook,/webhooks/anotherhook"
}
这篇关于能否在sails.js中从CSRF中排除某些URL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!