See the Versioning README for more details on framework versions in general.
- A valid
redcap_csrf_tokenparameter is now required on almost all POST requests, but will be automatically added behind the scenes in many cases.-
Many module pages where the REDCap headers are included will not require any changes because the
redcap_csrf_tokenparameter will automatically be added to static forms and jQuerypost()method calls. -
The
redcap_csrf_tokenPOST parameter will need to be added to dynamically generated forms, jQueryajax()calls, non-jQuery javascript requests, and POST requests on pages where the REDCap headers are not included. In those cases, the$module->getCSRFToken()method should be used to set the value of theredcap_csrf_tokenPOST parameter. See theConfiguration Examplemodule bundled with REDCap forgetCSRFToken()usage examples in a few different cases. All POST requests made by module code should be tested before releasing a module update for this framework version. -
For the very small number of pages where CSRF tokens should not be required (like custom APIs), pages can be omitted from CSRF checking by added them to
config.jsonas follows (similar fashion tono-auth-pages). See the Configuration Example module for an example. Do NOT abuse this feature by using it in cases where you should be using CSRF tokens:{ "no-csrf-pages": [ "some-page" ] }
-
- If skipping framework versions, do not forget to review/address the breaking changes from all prior framework versions.