From 689f79337c272c89a15163d68b037963b7cd9a04 Mon Sep 17 00:00:00 2001 From: Nick Sweeting Date: Wed, 8 May 2024 19:24:23 -0700 Subject: [PATCH] Updated Setting up Authentication (markdown) --- Setting-up-Authentication.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Setting-up-Authentication.md b/Setting-up-Authentication.md index 5858b5e..967030d 100644 --- a/Setting-up-Authentication.md +++ b/Setting-up-Authentication.md @@ -204,11 +204,12 @@ curl -X 'GET' \ ### API Session Cookie Authentication > [!CAUTION] -> We recommend sticking to header-based authentication and not using this method unless you fully understand the CSRF/CORS security risks. +> We recommend sticking to header-based authentication and not using this method unless you deeply understand the CSRF/CORS security risks. +> This method is mostly useful when testing API requests in the browser during development, as it lets you avoid having to manually attach a key to every request. -Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks). - -You can tell browsers to allow incoming POST requests from specific domains you trust using the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) option. but +> Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks). +> +> You can tell browsers to allow incoming POST requests from specific domains you trust using the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) option. but Log in via the Admin Web UI: `/admin/login/`, you can then re-use your login session id (stored in the `sessionid` cookie) for REST API requests. This makes it convenient to test API requests from a browser environment where you're already logged in.