From 1f05d2c72f7885e76e3b28edfaa86236acbdef7a Mon Sep 17 00:00:00 2001 From: Maximilian Tagher Date: Tue, 31 Jul 2018 21:22:39 -0700 Subject: [PATCH] Explain how requireCheckJsonBody can prevent CSRF --- yesod-core/Yesod/Core/Json.hs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/yesod-core/Yesod/Core/Json.hs b/yesod-core/Yesod/Core/Json.hs index b3187e4c..abf9e1dd 100644 --- a/yesod-core/Yesod/Core/Json.hs +++ b/yesod-core/Yesod/Core/Json.hs @@ -133,8 +133,10 @@ requireJsonBody = do J.Error s -> invalidArgs [pack s] J.Success a -> return a --- | Same as 'requireJsonBody', but ensures that the mime type --- indicates JSON content. +-- | Same as 'requireJsonBody', but ensures that the MIME type +-- indicates JSON content. Requiring a JSON content-type helps secure your site against +-- CSRF attacks (browsers will perform POST requests for form and text/plain content-types +-- without doing a CORS check, and those content-types can easily contain valid JSON). requireCheckJsonBody :: (MonadHandler m, J.FromJSON a) => m a requireCheckJsonBody = do ra <- parseCheckJsonBody