docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon pi-hole

Add clarification to API behavior with respect to CSRF and cookies

Open manedurphy opened this issue 2 months ago • 2 comments

Thank you for your contribution to the Pi-hole Community!

Please read the comments below to help us consider your Pull Request.

We are all volunteers and completing the process outlined will help us review your commits quicker.

Please make sure you

  1. Base your code and PRs against the repositories developmental branch.
  2. Sign Off all commits as we enforce the DCO for all contributions
  3. Sign all your commits as they must have verified signatures
  4. File a pull request for any change that requires changes to our documentation at our documentation repo

What does this PR aim to accomplish?:

  • Adds clarity on how the Pi-hole API validates requests with Cookie authentication and CSRF tokens.
  • The docs mentions that cookie-based authentication must include a CSRF token in the X-FTL-CSRF header, but the code shows that the header is named X-CSRF-TOKEN, see here.
  • The code examples show the use of the X-FTL-CSRF in scenarios where the code/script run outside of the browser. This is misleading, as those example do not explicitly opt-in for cookie-based authentication.
  • A JavaScript example showed setting the sid value in the request URI in additional to setting the CSRF token, which is also misleading because in a browser we would expect the cookie to be set automatically, which the API checks before checking the request URI.

How does this PR accomplish the above?:

  • All changes address the following points mentioned above

Link documentation PRs if any are needed to support this PR:

  • N/A

By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code and I have tested my changes.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)
  6. I have checked that another pull request for this purpose does not exist.
  7. I have considered, and confirmed that this submission will be valuable to others.
  8. I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  9. I give this submission freely, and claim no ownership to its content.
  • [x] I have read the above and my PR is ready for review. Check this box to confirm

manedurphy avatar Dec 02 '25 07:12 manedurphy

Deploy Preview for pihole-docs ready!

Name Link
Latest commit 5480a8656b87a713b6f4686e79371b9f0d124d1c
Latest deploy log https://app.netlify.com/projects/pihole-docs/deploys/692f5f2073953a00080db079
Deploy Preview https://deploy-preview-1323--pihole-docs.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

netlify[bot] avatar Dec 02 '25 07:12 netlify[bot]

@DL6ER Can you check this over and see if it lines up with the API design please?

dschaper avatar Dec 02 '25 20:12 dschaper