CSRF/XSRF attacks protection

SAYMON utilizes cookie-based CSRF tokens to protect from CSRF/XSRF attacks.

When a user logs into the SAYMON system, the token is set into the csrf cookie. The client then adds the x-csrf-token header to every POST, PUT, PATCH and DELETE request. The server checks this header and discards any request with an incorrect token.

If the provided toke is missing or incorrect, the server will send a response with 401 Unauthorized code and the following error in the request body:

{
    "errorCode": 3,
    "message": "Wrong CSRF Token"
}

To enable CSRF protection, set the csrf_token_enabled parameter of the server configuration to true.

/etc/saymon/saymon-server.conf

{
    "server": {
        "user": {
            "csrf_token_enabled": true,
        }
    }
}