Version 0.8.14 introduces CSRF protection. This means requests to the REST interface (authenticated or not) must carry a CSRF Token or be denied. To enable usage from machine interfaces (syncthing-android, curl, etc) there is also an API key that can be enabled. The settings dialog adds a new API Key field:
The Generate button will generate a new API key.
Requests carrying an X-API-Key HTTP header with this value will be allowed, regardless of authentication or CSRF measures. For example:
Yep. One of these days should be Documentation Day anyhow, time to sit down and refresh stuff. You’re right, not everything needs protection, perhaps something like /rest/version should always be available without authentication to provide an entry point to see if things are alive and if the version supports API keys, etc. Otherwise it’s simpler and safer to just require it on everything - that way we don’t leak lists of repos and things like that.
