From 89ba52ca4a191f51c0e5b3ab14600fe290512b3b Mon Sep 17 00:00:00 2001 From: Nick Sweeting Date: Wed, 8 May 2024 20:39:19 -0700 Subject: [PATCH] Updated Setting up Authentication (markdown) --- Setting-up-Authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Setting-up-Authentication.md b/Setting-up-Authentication.md index 6ab7ad8..24fe033 100644 --- a/Setting-up-Authentication.md +++ b/Setting-up-Authentication.md @@ -207,7 +207,7 @@ curl -X 'GET' \ > Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks). > -> To allow incoming POST requests from other domains **that you trust**, you must add them to [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) in the `archivebox/core/settings.py` source code on your machine ([open an issue](https://github.com/ArchiveBox/ArchiveBox/issues/new/choose) and explain your use-case if you want us to expose this as normal configuration option). +> To allow incoming POST requests from other domains **that you trust**, you must add them to [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) in the `archivebox/core/settings.py` source code on your machine ([open an issue](https://github.com/ArchiveBox/ArchiveBox/issues/new/choose) and explain your use-case for help). Log in via the Admin Web UI: `/admin/login/`, you can then re-use your login session id (stored in the `sessionid` cookie) for REST API requests. By default, this only allows you to make requests from the same domain ArchiveBox is being served on (e.g. from browser devtools open on an ArchiveBox page or CLI tools).