fix: add CSRF protection to API v1 routes (closes #112)
All checks were successful
Check / check (pull_request) Successful in 12m25s
All checks were successful
Check / check (pull_request) Successful in 12m25s
Add APICSRFProtection middleware that requires X-Requested-With header on all state-changing (non-GET/HEAD/OPTIONS) API requests. This prevents CSRF attacks since browsers won't send custom headers in cross-origin simple requests (form posts, navigations). Changes: - Add APICSRFProtection() middleware in internal/middleware/middleware.go - Apply middleware to /api/v1 route group in routes.go - Add X-Requested-With to CORS allowed headers - Add unit tests for the middleware (csrf_test.go) - Add integration tests for CSRF rejection/allowance (api_test.go) - Update existing API tests to include the required header
This commit is contained in:
user
@@ -102,8 +102,11 @@ func (s *Server) SetupRoutes() {
|
||||
})
|
||||
})
|
||||
|
||||
// API v1 routes (cookie-based session auth, no CSRF)
|
||||
// API v1 routes (cookie-based session auth with CSRF protection)
|
||||
s.router.Route("/api/v1", func(r chi.Router) {
|
||||
// CSRF protection: require X-Requested-With header on state-changing requests
|
||||
r.Use(s.mw.APICSRFProtection())
|
||||
|
||||
// Login endpoint is public (returns session cookie)
|
||||
r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleAPILoginPOST())
|
||||
|
||||
|
||||
Reference in New Issue
Block a user