CSRF Prevention

eddy_oj · January 8, 2019, 10:52pm

Hi all,

I recognise that the Dash team removed CSRF protection via a token due to the logic that POST requests don’t require this in JSON based applications:

Reading around (e.g https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) it is suggested that CSRF can be prevented if a pre-flight request is forced by application/json made to the server in order to check the permitted content types and the origin. If the origin is different then the payload is rejected.

Is this what Dash is doing to prevent CSRF? It is hard to pin point this in the code.

eddy_oj · January 8, 2019, 11:18pm

Another useful resource on preflight requests suggesting that the browser forces this to the Dash server.

Topic		Replies	Views
What is the Current Way to Disable CSRF? (my_app = dash.Dash(csrf_protect=False)) Dash Python question	0	419	July 19, 2022
CSRF protection in Dash Dash Python question	3	711	February 2, 2023
TypeError: Dash() got an unexpected keyword argument 'csrf_protect' Dash Python	3	3674	April 3, 2020
CORS preflight request freezes our app Dash Python	3	2956	March 18, 2021
[Solved] CSRF and dash interactive apps Dash Python	2	3202	November 30, 2023