added CSRF protection using csurf express middleware, fixes #455

2025-11-12 00:05:50 +01:00 · 2019-03-24 22:41:53 +01:00
parent f6413d095c
commit 9fc5d328b4
11 changed files with 87 additions and 15 deletions
--- a/src/public/javascripts/services/server.js
+++ b/src/public/javascripts/services/server.js
@@ -1,4 +1,3 @@
-import protectedSessionHolder from './protected_session_holder.js';
 import utils from './utils.js';
 import infoService from "./info.js";

@@ -7,7 +6,8 @@ function getHeaders() {
    // so hypothetical protectedSessionId becomes protectedsessionid on the backend
    // also avoiding using underscores instead of dashes since nginx filters them out by default
    return {
-        'trilium-source-id': glob.sourceId
+        'trilium-source-id': glob.sourceId,
+        'x-csrf-token': glob.csrfToken
    };
 }