Skip to content

Commit

Permalink
spelling fix - Update Cross-Site_Request_Forgery_Prevention_Cheat_She…
Browse files Browse the repository at this point in the history 
…et.md (#1385)
  • Loading branch information
@seanpascoe
seanpascoe authored Apr 17, 2024
1 parent 82ab886 commit f299ae7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ Should a browser bug allow custom HTTP headers, or not enforce preflight on non-

### Disallowing simple content types

For a request to be deemed simple, it must have one of the following content types - `application/x-www-form-urlencoded`, `multipart/form-data` or `text/plain`. Many modern web applications use JSON APIs so would naturally require CORS, however they may accept `text/plain` which would be vulnerable to CSRF. Therefore a simple migitation is for the server or API to disallow these simple content types.
For a request to be deemed simple, it must have one of the following content types - `application/x-www-form-urlencoded`, `multipart/form-data` or `text/plain`. Many modern web applications use JSON APIs so would naturally require CORS, however they may accept `text/plain` which would be vulnerable to CSRF. Therefore a simple mitigation is for the server or API to disallow these simple content types.

### Employing Custom Request Headers for AJAX/API

Expand Down

0 comments on commit f299ae7

Please sign in to comment.