Package io.muserver.handlers

Class CSRFProtectionHandler

  • All Implemented Interfaces:
    MuHandler
    public class CSRFProtectionHandler
extends java.lang.Object
implements MuHandler

    Protects against Cross-Site Request Forgery (CSRF) by rejecting non-safe cross-origin browser requests.

    Safe methods (GET, HEAD, OPTIONS) are always allowed. For other methods, requests are allowed if:

    • The Sec-Fetch-Site header is same-origin or none
    • The Origin header matches the request host
    • The Origin header is in the trusted origins list
    • The request path matches a bypass pattern

    If a request is rejected, the configured rejection handler is called. By default, this throws a BadRequestException.

    The return value of the handle method is the return value of the rejection handler, allowing custom handlers to override the rejection. In other words, if you supply a custom rejection handler, and you return false from the MuHandler.handle(MuRequest, MuResponse) method, then the request will not be rejected.

    This logic was inspired by Cross-Site Request Forgery by Filippo Valsorda.

    See Also:
    CSRFProtectionHandlerBuilder

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean handle​(MuRequest request, MuResponse response)
      Called when an HTTP request is made (unless a previous handler stopped handler processing)
      java.lang.String toString()  

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

    • Method Detail

      • handle

        public boolean handle​(MuRequest request,
                      MuResponse response)
               throws java.lang.Exception
        Description copied from interface: MuHandler
        Called when an HTTP request is made (unless a previous handler stopped handler processing)
        Specified by:
        handle in interface MuHandler
        Parameters:
        request - The HTTP request.
        response - The HTTP response.
        Returns:
        Return false to continue processing the next handler (for example if writing a filter or inspector); or true to stop processing (normally done if this handler sent a response).
        Throws:
        java.lang.Exception - Any uncaught exceptions will result in a 500 error code being returned to the client with a simple message.

      • toString

        public java.lang.String toString()
        Overrides:
        toString in class java.lang.Object