Optimize API client headers by method - only set Content-Type and CSRF header as needed

- Only set Content-Type header for requests with a body (POST, PUT, DELETE with body) - Only set X-BanGUI-Request CSRF header for mutating methods (POST, PUT, DELETE, PATCH) - GET, HEAD, OPTIONS requests no longer include unnecessary headers, reducing CORS preflights - Update Web-Development.md to clarify conditional header behavior - Add comprehensive tests for header behavior by HTTP method This reduces unnecessary CORS preflight requests on GET endpoints while maintaining CSRF protection on state-mutating requests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-29 19:52:17 +02:00
parent bc4ba703f0
commit 0a350b3acc
5 changed files with 188 additions and 28 deletions
--- a/Docs/Tasks.md
+++ b/Docs/Tasks.md
@@ -1,21 +1,3 @@
-## 34) Setup redirect allowlist uses broad prefix matching
- Where found:
-	- [backend/app/main.py](backend/app/main.py#L434)
- Why this is needed:
-	- Prefix-based allow rules are fragile for future route additions.
- Goal:
-	- Use exact path or route-level allow policy.
- What to do:
-	- Replace startswith matching with explicit allowlist checks.
- Possible traps and issues:
-	- API docs and setup flow paths must remain reachable.
- Docs changes needed:
-	- Add setup guard route policy documentation.
- Doc references:
-	- [backend/app/main.py](backend/app/main.py)
-
---
-
 ## 35) API client sends JSON and CSRF header for every request method
 - Where found:
 	- [frontend/src/api/client.ts](frontend/src/api/client.ts)