1
0
mirror of https://github.com/pirate/ArchiveBox.git synced 2025-08-24 23:16:19 +02:00

Updated Setting up Authentication (markdown)

Nick Sweeting
2024-05-08 19:24:23 -07:00
parent 5f1663a7d3
commit 689f79337c

@@ -204,11 +204,12 @@ curl -X 'GET' \
### API Session Cookie Authentication
> [!CAUTION]
> We recommend sticking to header-based authentication and not using this method unless you fully understand the CSRF/CORS security risks.
> We recommend sticking to header-based authentication and not using this method unless you deeply understand the CSRF/CORS security risks.
> This method is mostly useful when testing API requests in the browser during development, as it lets you avoid having to manually attach a key to every request.
Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks).
You can tell browsers to allow incoming POST requests from specific domains you trust using the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) option. but
> Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks).
>
> You can tell browsers to allow incoming POST requests from specific domains you trust using the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) option. but
Log in via the Admin Web UI: `/admin/login/`, you can then re-use your login session id (stored in the `sessionid` cookie) for REST API requests. This makes it convenient to test API requests from a browser environment where you're already logged in.