diff --git a/authentik/api/templates/api/browser.html b/authentik/api/templates/api/browser.html index 0f29ea4be..2cf325ed2 100644 --- a/authentik/api/templates/api/browser.html +++ b/authentik/api/templates/api/browser.html @@ -30,7 +30,7 @@ function getCookie(name) { window.addEventListener('DOMContentLoaded', (event) => { const rapidocEl = document.querySelector('rapi-doc'); rapidocEl.addEventListener('before-try', (e) => { - e.detail.request.headers.append('X-CSRFToken', getCookie("authentik_csrf")); + e.detail.request.headers.append('X-authentik-CSRF', getCookie("authentik_csrf")); }); }); diff --git a/authentik/root/settings.py b/authentik/root/settings.py index 014275cc3..83764acc4 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -75,7 +75,7 @@ AUTH_USER_MODEL = "authentik_core.User" _cookie_suffix = "_debug" if DEBUG else "" CSRF_COOKIE_NAME = "authentik_csrf" -CSRF_COOKIE_SAMESITE = None +CSRF_HEADER_NAME = "HTTP_X_AUTHENTIK_CSRF" LANGUAGE_COOKIE_NAME = f"authentik_language{_cookie_suffix}" SESSION_COOKIE_NAME = f"authentik_session{_cookie_suffix}" SESSION_COOKIE_DOMAIN = CONFIG.y("cookie_domain", None) diff --git a/scripts/web_api_readme.md b/scripts/web_api_readme.md index 1567467ab..1067c9e88 100644 --- a/scripts/web_api_readme.md +++ b/scripts/web_api_readme.md @@ -24,7 +24,7 @@ export const DEFAULT_CONFIG = new Configuration({ // Required for POST/PUT/DELETE requests // getCookie function must return the cookie's contents headers: { - "X-CSRFToken": getCookie("authentik_csrf"), + "X-authentik-CSRF": getCookie("authentik_csrf"), }, }); ``` diff --git a/web/src/api/Config.ts b/web/src/api/Config.ts index 802984ccd..1cb282191 100644 --- a/web/src/api/Config.ts +++ b/web/src/api/Config.ts @@ -53,7 +53,7 @@ export function tenant(): Promise { export class CSRFMiddleware implements Middleware { pre?(context: RequestContext): Promise { // @ts-ignore - context.init.headers["X-CSRFToken"] = getCookie("authentik_csrf"); + context.init.headers["X-authentik-CSRF"] = getCookie("authentik_csrf"); return Promise.resolve(context); } }