Forbiden when making a RESTful(ish) POST about crumb HOT 6 CLOSED

Firstly, if you are only accessing a route server-side, CSRF protection is not necessary, as it is a client/browser vulnerability. However if the route is also accessed by a browser, here's how to make it work
In Crumb's default mode, when POSTing a JSON payload include the crumb as {"crumb": "crumbValue"} and the header cookie: crumb=crumbValue
See https://github.com/hapijs/crumb/blob/master/test/index.js#L106 for example
You can also set the crumb plugin option restful: true and then send the crumb along in a HTTP header called X-CSRF-Token along with the cookie header
Additionally the Crumb plugin options has a skip property which allows you to provide a function to skip Crumb validation, which would be an option as well.
Let me know if you need any further assistance

from crumb.

Thanks, I have tried the crumb's default mode, it works as anticipated.

If I were to set restful: true will the server still be able protect against
the POSTs which are not API calls?
Or is it possible to set restful: true for a API connection and leave default for the other?

from crumb.

the form submissions would require some processing to add the X-CSRF-Token header when restful: true - a raw post from browser would fail
as far as I know, restful has to be true or false.
you might be better off on using the skip option for such things

from crumb.

@stongo crumb works like a charm, I have tried few things and I found the easier way is to register crumb a particular connection, say www server with its options and register crumb for api server with restful options.
Do you know issues that could create?.

from crumb.

@rutaihwa that's brilliant! I would say you are all good with that setup

from crumb.

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

from crumb.