csrfProtection() should ignore GET/HEAD/OPTIONS

[johaven]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.28.1

Plugin version

7.0.0

Node.js version

20.x

Operating system

macOS

Operating system version (i.e. 20.04, 11.3, 10)

14.7

Description

Only HTTP methods that make changes to resources should be protected.

Most frameworks (like Angular) do not send the csrf token in request headers for GET/HEAD/OPTIONS methods.

// protect the fastify instance
fastify.addHook('onRequest', fastify.csrfProtection)

In this particular case (from the documentation), the instance is protected, GET and other methods may be denied.

Take a look here: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#javascript-automatically-including-csrf-tokens-as-an-ajax-request-header

Perhaps an option to define ignored methods (the ones mentioned by default) would be nice and less blocking.

[mcollina]

Thanks for reporting! Would you like to send a Pull Request to address this issue? Remember to add unit tests.