upaas

sneak/upaas

Fork 0

Commit Graph

Author	SHA1	Message	Date
user	efa8f51310	Add API CSRF protection via X-Requested-With header (closes #112 ) All checks were successful Check / check (pull_request) Successful in 11m36s Details - Add APICSRFProtection middleware requiring X-Requested-With header on state-changing API requests (POST, PUT, DELETE, PATCH) - Apply middleware to all /api/v1 routes - Upgrade session cookie SameSite from Lax to Strict (defense-in-depth) - Add X-Requested-With to CORS allowed headers - Add tests for the new middleware Browsers cannot send custom headers cross-origin without CORS preflight, which effectively blocks CSRF attacks via cookie-based session auth.	2026-02-20 05:33:33 -08:00

Author

SHA1

Message

Date

user

efa8f51310

Add API CSRF protection via X-Requested-With header (closes #112 )

Check / check (pull_request) Successful in 11m36s

Details

- Add APICSRFProtection middleware requiring X-Requested-With header on
  state-changing API requests (POST, PUT, DELETE, PATCH)
- Apply middleware to all /api/v1 routes
- Upgrade session cookie SameSite from Lax to Strict (defense-in-depth)
- Add X-Requested-With to CORS allowed headers
- Add tests for the new middleware

Browsers cannot send custom headers cross-origin without CORS preflight,
which effectively blocks CSRF attacks via cookie-based session auth.

2026-02-20 05:33:33 -08:00

1 Commits