Annotation Interface CSRFGuarded
NameBinding annotation for the CSRFRequestFilter which enforces an
Origin/Referer whitelist on the four simple-request REST endpoints (multipart
upload) that bypass the browser's CORS preflight protection.
The filter is opt-in via webapi.csrf[@enabled]=true - when the
configuration switch is false (default), endpoints annotated with
@CSRFGuarded behave exactly like before.
Bearer-token authenticated requests are always bypassed: a bearer token is never sent automatically by the browser, so its presence proves a deliberate client call.
- See Also: