`xsrf_cookies` error

[Sunando Samaddar]

Hi, I'm trying to run a full stack Tornado and React (create-react-app) app. The backend sets CORS headers like below in a BaseHandler.

def set_default_headers(self):

    self.set_header('Access-Control-Allow-Origin', 'http://localhost:3000')

    self.set_header('Access-Control-Allow-Headers', 'X-Requested-With')

    self.set_header('Access-Control-Allow-Methods', 'POST, GET, OPTIONS')

The app mainly serves authentication APIs, a login (/auth) API, a logout (/logout) API, and uses secure cookies.  Now, I see I have to set xsrf_cookies=False for the app to authenticate with a status code 200. Otherwise, I see this warning.

WARNING:tornado.general:403 POST /auth (::1): '_xsrf' argument missing from POST

I think there may be something I'm unable to understand, hence, implement correctly. Looking forward to the discussion.

Thanks.

[Ben Darnell]

Have you seen this page in the docs? https://www.tornadoweb.org/en/stable/guide/security.html?highlight=xsrf#cross-site-request-forgery-protection

There's an example there of setting the `_xsrf` argument in jquery; I'd love it if someone could provide a react-based example.

Also see this OWASP page for more background on what XSRF is and why it's important. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

-Ben

--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python-tornado/bd50a484-9871-499c-927e-6aeb492cc1b6n%40googlegroups.com.