csrf middleware: let grafana requests through (!6094) · Merge requests · Administrator / sourcegraph

Administrator requested to merge grafana_csrf_token into master Oct 17, 2019

Created by: uwedeportivo

CSRF protection kicks in for unsafe HTTP commands like PUT and POST.

this wasn't a problem for our reverse proxy at https://github.com/sourcegraph/sourcegraph/blob/master/cmd/frontend/internal/app/debug.go before because all the instrumentation http traffic (varz, metrics etc) for gitserver and the others were pure GET requests.

now that we're running grafana behind the same scheme it does POST and PUT requests too and the csrf token is invalid.

grafana itself is csrf protected so i think it's ok to bypass the middleware for requests to grafana.

csrf middleware: let grafana requests through