I’m struggling to understand Plug. Plug.CSRFProtection — Plug v1.14.0 says
The token may be sent by the request either via the params with key “_csrf_token” or a header with name “x-csrf-token”.
But I don’t see CSRF token in my conn. Neither in params nor req_headers.
I only see get_csrf_token() in a <meta> in app.html.heex.
Where should I look to understand this?
csrf token is used in 2 places:
_csrf_token is included in every formcsrf_token from the html meta (which you found) and included in the connect params.Then in the server side, phoenix extracts the token accordingly and compares it with the token stashed in the session to make sure they match before deeming the POST or the socket connect is coming from legit sources.
And I couldn’t find it because I was looking into a normal GET HTTP request, thank you so much!
© Copyright Elixir Forum | Terms | Privacy & Cookies
