Is there a way, how I can disable csrf for swagger?

[SpamhaterAlex]

Hi together,

I use a double submit technique to prevent an unauthorized and unwarranted access. This carries a restriction of usage of Swagger. In my current setup to prove that I have "the right to write", I should manually copy a security token (x-xsrf-token) from the last request to the new request every time, if I want to interact with my API using PUT, POST or DELETE method.

Is there a way, how I can disable csrf for swagger?
Or do you have an idea, how I can solve my issue?

Thanks

[shockey]

Hi @SpamhaterAlex!

The specification doesn't have good support for this use case at the moment. There is some work going on around authentication in general (see OAI/OpenAPI-Specification#451 (comment), for example), so now would be a good time to start a discussion about it over at OpenAPI. That said - if your x-xsrf-token isn't standards-based, it's unlikely that it would ever be included in the specification. Also, CSRF is becoming less relevant over time, as browsers add user-agent level support for controls over cross-origin request cookie inclusion.

My suggestion would be to either use a requestInterceptor to manually capture and attach the latest xsrf token to requests programmatically, or modify your server to disable your CSRF mechanism for Swagger UI somehow.