The method of protecting routes provided by the REST module by using the "_access_rest_csrf" requirement on the route has been deprecated in favor of the new route requirement "_csrf_request_header_token". This new requirement is provided by the System module so it is not necessary to install the REST module to use this protection on a route.
The new _csrf_request_header_token protection acts identically to _access_rest_csrf for clients. To retrieve the current session's CSRF token use the a GET request to /session/token. To provide the token for a protected route specify the HTTP header "X-CSRF-Token request header". The route protection will only apply to HTTP write operation requests. It will not apply to 'GET', 'HEAD', 'OPTIONS', or 'TRACE' requests.
This should not be confused with the route requirement _csrf_token which expects requests to have the token in a query string parameter "token".
Deprecated support of _access_rest_csrf will be removed in 10.0.0.
Comments
I'm using the `_csrf_request
I'm using the `_csrf_request_header_token` requirement in my custom route, but it isn't getting checked...