In the very basics, it's saying "Your neighbour should not be able to request information from your home"
But it's switches, options, etc...... are.... too much to handle. It's actually why CSP came to life, because it's more logical and controllable than CORS
Yet, CORS exists, and it's an accepted standard, so you'll have to work with it.
Is there a way to have 2 seperate middleware setups for a graphql api? a webapp needs to use the API and use JWT with CSRF middleware disabled, while another webapp simply needs to use the CSRF token to use the api ( no login )
Use a middleware to inject middleware? :>
Is that even possible? Or allowed? 😄
Yes, of course :P
delegate($next) do something more along the lines of
ThatNewMiddleware($delegate, $next) or something. Might not be 'exact' in terms of 'correctness', but should still be doable I think.
Middleware can read a request and choose to apply itself. They can both be configured middleware but can also both be picky about which request they actually validate.
Aha.. So I could check the request in middleware, and choose to apply CSRF middleware or not?
Pretty cool. Thanks