angular4 httpclient csrf does not send x-xsrf-token angular4 httpclient csrf does not send x-xsrf-token angular angular

angular4 httpclient csrf does not send x-xsrf-token


angular cookies csrf-protection x-xsrf-token

What you are looking for is HttpClientXsrfModule.

Please read more about it here: https://angular.io/api/common/http/HttpClientXsrfModule.

Your usage should be like this:

imports: [    HttpClientModule,   HttpClientXsrfModule.withOptions({   cookieName: 'My-Xsrf-Cookie', // this is optional   headerName: 'My-Xsrf-Header' // this is optional }) ]

Additionally, if your code targets API via absolute URL, default CSRF interceptor will not work out of the box. Instead you have to implement your own interceptor which does not ignore absolute routes.

@Injectable()export class HttpXsrfInterceptor implements HttpInterceptor {  constructor(private tokenExtractor: HttpXsrfTokenExtractor) {  }  intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {    const headerName = 'X-XSRF-TOKEN';    let token = this.tokenExtractor.getToken() as string;    if (token !== null && !req.headers.has(headerName)) {      req = req.clone({ headers: req.headers.set(headerName, token) });    }    return next.handle(req);  }}

And finally add it to your providers:

providers: [  { provide: HTTP_INTERCEPTORS, useClass: HttpXsrfInterceptor, multi: true }]

angular cookies csrf-protection x-xsrf-token

I suppose the correct method is withOptions. I used withConfig and got error Property 'withConfig' does not exist on type 'typeof HttpClientXsrfModule'. This is a typing issue in the documentation. You need to use "withOptions" instead HttpClientXsrfModule.withOptions({ cookieName: 'My-Xsrf-Cookie', headerName: 'My-Xsrf-Header',})

angular cookies csrf-protection x-xsrf-token

Using the recent Angular version I ran into the following problem. While the token is passed to the client using the header name 'XSRF-TOKEN', the response must feed back the token using the header name 'X-XSRF-TOKEN'. So here is a slightly modified version of Miroslav's code above which works for me.

@Injectable()export class HttpXSRFInterceptor implements HttpInterceptor {  constructor(private tokenExtractor: HttpXsrfTokenExtractor) {  }  intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {    const headerName = 'XSRF-TOKEN';    const respHeaderName = 'X-XSRF-TOKEN';    let token = this.tokenExtractor.getToken() as string;    if (token !== null && !req.headers.has(headerName)) {      req = req.clone({ headers: req.headers.set(respHeaderName, token) });    }    return next.handle(req);  }}

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last