JWT cookie authentication

[stephe...@eurostar.com]

Hi All,

Now that we have support for JWT cookie authentication:

https://github.com/Kong/kong/issues/2894

How do we protect against CSRF. Normally this is done by the client adding a X-XSRF-TOKEN header to the requests and then Kong can test this value against the csrf value held inside the JWT.

Is this happening, or is there another/better way to protect against CSRF.

Thanks

Stephen

[Thibault Charbonnier]

Hi,

Kong will not do such validation as of today. We would welcome a pull
request for this!

Best regards,
Thibault

> --
> You received this message because you are subscribed to the Google
> Groups "Kong" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to konglayer+...@googlegroups.com
> <mailto:konglayer+...@googlegroups.com>.
> To post to this group, send email to kong...@googlegroups.com
> <mailto:kong...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/konglayer.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/konglayer/3ad179b8-cb9a-452d-83bc-d23f45ba97ea%40googlegroups.com
> <https://groups.google.com/d/msgid/konglayer/3ad179b8-cb9a-452d-83bc-d23f45ba97ea%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.