template::require_post (public)

 template::require_post

Defined in packages/acs-tcl/tcl/tcl-documentation-procs.tcl

Enforce HTTP POST for state-changing requests. Verify that the current request was issued using the HTTP POST method. If the request uses any other method (e.g. GET), return a "405 Method Not Allowed" response and abort request processing. Background: State-changing operations should not be reachable via HTTP GET. In particular, browsers will send session cookies on cross-site GET navigations when SameSite is set to "lax", which enables CSRF attacks via forged links. Requiring POST reduces the attack surface and allows SameSite=Lax cookies to provide an additional layer of protection. This procedure is intended to be used in combination with explicit CSRF token validation for full protection. This validator is intended to be used in a "-validate" block of a page contract or ad_form.

Returns:
1 on success; otherwise the request is aborted

Partial Call Graph (max 5 caller/called nodes):
ad_script_abort ad_script_abort (public) template::require_post template::require_post template::require_post->ad_script_abort

Testcases:
No testcase defined.
[ show source ]
Show another procedure: