art-dag/mono
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Exempt internal action/data requests from CSRF protection

Browse Source 
Internal service-to-service POSTs (call_action) were blocked by CSRF
middleware since they have no session cookie. These requests are already
gated by X-Internal-Action/X-Internal-Data headers and only reachable
on the Docker overlay network.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
giles
2026-02-25 03:19:10 +00:00
parent 8f4104a4bf
commit b91a58f30a
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
shared/browser/app/csrf.py
View File

@@ -57,6 +57,11 @@ async def protect() -> None:
if _is_exempt_endpoint():
return
# Internal service-to-service calls are already gated by header checks
# and only reachable on the Docker overlay network.
if request.headers.get("X-Internal-Action") or request.headers.get("X-Internal-Data"):
return
session_token = qsession.get("csrf_token")
if not session_token:
abort(400, "Missing CSRF session token")