View more context

 

Firesphere

In the very basics, it's saying "Your neighbour should not be able to request information from your home"

Firesphere

But it's switches, options, etc...... are.... too much to handle. It's actually why CSP came to life, because it's more logical and controllable than CORS

Firesphere

Yet, CORS exists, and it's an accepted standard, so you'll have to work with it.

sander_ha

Is there a way to have 2 seperate middleware setups for a graphql api? a webapp needs to use the API and use JWT with CSRF middleware disabled, while another webapp simply needs to use the CSRF token to use the api ( no login )

nightjarnz

Use a middleware to inject middleware? :>

nightjarnz

Yes, of course :P instead of delegate($next) do something more along the lines of ThatNewMiddleware($delegate, $next) or something. Might not be 'exact' in terms of 'correctness', but should still be doable I think.

Scopey

Middleware can read a request and choose to apply itself. They can both be configured middleware but can also both be picky about which request they actually validate.

sander_ha

Aha.. So I could check the request in middleware, and choose to apply CSRF middleware or not?