I am working on a web site created in Go.
It is possible to access it both via web (server side pages generated via golang templates) and a REST API (for external users who whant to integrate their own software). The Go server handles both types of requests, with a subrouter that handles the API when calls are sent to the subpath "my-url-root/api".
- The web pages use secure cookies
- The API is stateless: no cookies (each API method must receive in the header an authentication token obtained via a dedicated login method)
I successfully applied gorilla/csrf to protect the web pages from csrf attacks, but that modification (essential before I go live) is now creating an issue with the API.
My question When the CSRF is implemented, all GET requests sent to the api URLs work as expected, but any other request sent (e.g. a POST to a method to add something via my REST api) generates an html response that typically states "forbidden - invalid csrf token".
Is there a straightforward way that I am missing? I searched for answers but none applicable to the case where the api is served by the same server and most of all it is stateless. Should I see if I can "disable" the gorilla csrf protection for the subrouter (though I do not even know if that is possible and if that is even safe...)?
Thanks for your help.