CSRF Protection Bypass for JSON APIs

[kasimlyee]

Problem:
CSRF middleware ONLY validates tokens in form() data (URL-encoded or multipart)
API endpoints that accept application/json are completely unprotected
Attackers can bypass CSRF by sending JSON payloads

Impact: High - All JSON API endpoints vulnerable to CSRF attacks PoC

[Jones-peter]

@kasimlyee
Thank you for reporting this issue. I’ve identified the cause and applied the fix. The problem is now resolved, so we can close this.