mirror of
https://github.com/pirate/ArchiveBox.git
synced 2025-08-24 23:16:19 +02:00
Updated Setting up Authentication (markdown)
@@ -204,11 +204,12 @@ curl -X 'GET' \
|
||||
### API Session Cookie Authentication
|
||||
|
||||
> [!CAUTION]
|
||||
> We recommend sticking to header-based authentication and not using this method unless you fully understand the CSRF/CORS security risks.
|
||||
> We recommend sticking to header-based authentication and not using this method unless you deeply understand the CSRF/CORS security risks.
|
||||
> This method is mostly useful when testing API requests in the browser during development, as it lets you avoid having to manually attach a key to every request.
|
||||
|
||||
Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks).
|
||||
|
||||
You can tell browsers to allow incoming POST requests from specific domains you trust using the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) option. but
|
||||
> Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks).
|
||||
>
|
||||
> You can tell browsers to allow incoming POST requests from specific domains you trust using the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) option. but
|
||||
|
||||
Log in via the Admin Web UI: `/admin/login/`, you can then re-use your login session id (stored in the `sessionid` cookie) for REST API requests. This makes it convenient to test API requests from a browser environment where you're already logged in.
|
||||
|
||||
|
Reference in New Issue
Block a user