Mercurial Repository: p/roundup/code: doc/rest.txt comparison

Documentation and fix for REST headers issue2551372 - Better document necessary headers for REST and fix logging to log missing Origin header.

author	Ralf Schlatterbeck <rsc@runtux.com>
date	Wed, 04 Dec 2024 10:45:26 +0100
parents	2244205dd7c4
children	d02ce1d14acd

comparison

equal deleted inserted replaced

-:5ea419c1d571
+:bd628e64725f
 .. _upgrading directions: upgrading.html
 Preventing CSRF Attacks
 -----------------------
-Clients should set the header X-REQUESTED-WITH to any value and the
+Clients should set the header ``X-REQUESTED-WITH`` to any value and the
 tracker's config.ini should have ``csrf_enforce_header_x-requested-with
 = yes`` or ``required``.
 If you want to allow Roundup's api to be accessed by an application
 that is not hosted at the same origin as Roundup, you must permit
 the origin using the ``allowed_api_origins`` setting in
 ``config.ini``.
+If you access the REST interface with a method other than ``GET``, you
+must also supply an origin header with a value that is either the
+default origin (the URL of the tracker without the path component set in
+the config file as ``web`` in section ``[tracker]``) or one that is
+permitted by ``allowed_api_origins``.
 Rate Limiting API Failed Logins
 -------------------------------
 To make brute force password guessing harder, the REST API has an

Mercurial > p > roundup > code