From 51b6dd9fe97b2347e35a439f8d6ea043239deb7f Mon Sep 17 00:00:00 2001 From: Emanuele Stoppa Date: Tue, 9 Apr 2024 15:47:16 +0100 Subject: [PATCH] Apply suggestions from code review Co-authored-by: Sarah Rainsberger --- .changeset/fair-jars-behave.md | 7 +++---- packages/astro/src/@types/astro.ts | 2 +- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.changeset/fair-jars-behave.md b/.changeset/fair-jars-behave.md index 9c59a75b31b1..700b1b883021 100644 --- a/.changeset/fair-jars-behave.md +++ b/.changeset/fair-jars-behave.md @@ -2,7 +2,7 @@ "astro": minor --- -Adds a new security - and experimental - option to prevent CSRF attacks. This feature is available only for on-demand pages: +Adds a new experimental security option to prevent [Cross-Site Request Forgery (CSRF) attacks](https://owasp.org/www-community/attacks/csrf). This feature is available only for pages rendered on demand: ```js import { defineConfig } from "astro/config" @@ -17,9 +17,8 @@ export default defineConfig({ }) ``` -When enabled, it checks that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`. +Enabling this setting performs a check that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`. -The "origin" check is executed only on-demand pages, and only for the requests `POST, `PATCH`, `DELETE` and `PUT`, only for those requests that -the followin `content-type` header: 'application/x-www-form-urlencoded', 'multipart/form-data', 'text/plain'. +This experimental "origin" check is executed only for pages rendered on demand, and only for the requests `POST, `PATCH`, `DELETE` and `PUT` with one of the following `content-type` headers: 'application/x-www-form-urlencoded', 'multipart/form-data', 'text/plain'. It the "origin" header doesn't match the pathname of the request, Astro will return a 403 status code and won't render the page. diff --git a/packages/astro/src/@types/astro.ts b/packages/astro/src/@types/astro.ts index a2b7cfba01ac..9d75bd84e1b6 100644 --- a/packages/astro/src/@types/astro.ts +++ b/packages/astro/src/@types/astro.ts @@ -1856,7 +1856,7 @@ export interface AstroUserConfig { * @version 4.6.0 * @description * - * It enables some security measures to prevent CSRF attacks: https://owasp.org/www-community/attacks/csrf + * Allows you to enable security measures to prevent CSRF attacks: https://owasp.org/www-community/attacks/csrf */ csrfProtection?: {