sneak/upaas
1
0
Fork 0
Code Issues 6 Pull Requests 6 Actions Packages Projects Releases 1 Wiki Activity

Add API CSRF protection via X-Requested-With header (closes #112)
All checks were successful
Check / check (pull_request) Successful in 11m36s
Details

Browse Source 
- Add APICSRFProtection middleware requiring X-Requested-With header on
  state-changing API requests (POST, PUT, DELETE, PATCH)
- Apply middleware to all /api/v1 routes
- Upgrade session cookie SameSite from Lax to Strict (defense-in-depth)
- Add X-Requested-With to CORS allowed headers
- Add tests for the new middleware

Browsers cannot send custom headers cross-origin without CORS preflight,
which effectively blocks CSRF attacks via cookie-based session auth.
This commit is contained in:
user
2026-02-20 05:33:33 -08:00
parent 4217e62f27
commit efa8f51310
4 changed files with 116 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/service/auth/auth.go
View File

@@ -73,7 +73,7 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
MaxAge: sessionMaxAgeSeconds,
HttpOnly: true,
Secure: !params.Config.Debug,
SameSite: http.SameSiteLaxMode,
SameSite: http.SameSiteStrictMode,
}
return &Service{