Project

rack-cors-csrf_prevention

0.0
No release in over a year
rack-cors-csrf_preventiondigitaz/rack-cors-csrf_preventionHomepageDocumentationSource CodeBug TrackerWiki
The middleware makes sure any request to specified paths would have been preflighted if it was sent by a browser. We don't want random websites to be able to execute actual GraphQL operations from a user's browser unless our CORS policy supports it. It's not good enough just to ensure that the browser can't read the response from the operation; we also want to prevent CSRF, where the attacker can cause side effects with an operation or can measure the timing of a read operation. Our goal is to ensure that we don't run the context function or execute the GraphQL operation until the browser has evaluated the CORS policy, which means we want all operations to be pre-flighted. We can do that by only processing operations that have at least one header set that appears to be manually set by the JS code rather than by the browser automatically. POST requests generally have a content-type `application/json`, which is sufficient to trigger preflighting. So we take extra care with requests that specify no content-type or that specify one of the three non-preflighted content types. For those operations, we require one of a set of specific headers to be set. By ensuring that every operation either has a custom content-type or sets one of these headers, we know we won't execute operations at the request of origins who our CORS policy will block.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
3,112
Stars
2
Forks
0
Watchers
4
 Releases
Current version
0.3.0
Total releases
4
First release
1980-01-02
Latest release
2024-02-15
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
2
Merged Pull Requests
0
Pull Request Acceptance Rate
0%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2024-04-05
Reverse Dependencies
0

 Dependencies

Development

debug
~> 1.9, >= 1.9.1
rake
~> 13.0
rspec
~> 3.0
rubocop
~> 1.81, >= 1.81.1

Runtime

rack
>= 1
 Project Readme

Rack::Cors::CsrfPrevention

Ruby implementation of CSRF prevention from the Apollo Router.

Installation

Install the gem and add to the application's Gemfile by executing:

bundle add rack-cors-csrf_prevention

If bundler is not being used to manage dependencies, install the gem by executing:

gem install rack-cors-csrf_prevention

Configuration

Rails Configuration

# config/initializers/cors.rb

Rails.application.config.middleware.use Rack::Cors::CsrfPrevention

Paths

By default, the gem protects only /graphql path.

You can set your path using path argument:

config.middleware.use Rack::Cors::CsrfPrevention, path: "/gql"

Also, you can configure multiple paths via paths argument.

Headers

By default, gem allows only X-Apollo-Operation-Name or Apollo-Require-Preflight header for non-preflighted content types.

You can add additional headers for CSRF prevention:

config.middleware.use Rack::Cors::CsrfPrevention,
                      required_headers: %w[SOME-SPECIAL-HEADER]

Error message

By default, gem returns detailed error message that can help API clients in development.

You can hide detailed error message in a production environment:

config.middleware.use Rack::Cors::CsrfPrevention, detailed_error: !Rails.env.production?

Development

After checking out the repo, run bin/setup to install dependencies. Then, run bin/rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bin/rake install. To release a new version, update the version number in version.rb, and then run bin/rake release, which will create a git tag for the version, push git commits and the created tag, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/digitaz/rack-cors-csrf_prevention.