Add API CSRF protection via X-Requested-With header (closes #112) #116

Closed

clawbot wants to merge 1 commits from fix/112-api-csrf-protection into main

pull from: fix/112-api-csrf-protection

merge into: sneak:main

sneak:main

sneak:fix/audit-bugs-120-125

sneak:fix/1.0-audit-bugs

sneak:refactor/split-app-js

sneak:fix/disable-api-write-methods

sneak:chore/code-cleanup

sneak:ci/check-workflow-only

sneak:fix/repo-url-validation

sneak:fix/main-lint-issues

sneak:feature/api-token-auth

sneak:revert/pr-98

sneak:feat/ci-make-check

sneak:ci/add-check-action

sneak:fix/deploy-cancel-cleanup

sneak:schema-consolidation

sneak:feature/json-api

sneak:chore/update-todo

sneak:feature/edit-config-entities

sneak:feature/deployment-rollback-tests

sneak:update-todo-md

sneak:feature/edit-entities

sneak:feature/deployment-rollback

sneak:feature/deploy-cancel

Conversation 1 Commits 1 Files Changed 4 +116 -3

clawbot commented 2026-02-20 14:33:56 +01:00

Collaborator

Copy Link

Summary

Fixes #112 — API v1 CSRF vulnerability.

The API v1 endpoints use cookie-based session auth without CSRF protection. A malicious website could make authenticated requests (delete apps, trigger deploys, read secrets) via the user's session cookie.

Changes

1. APICSRFProtection middleware — requires X-Requested-With header on state-changing requests (POST/PUT/DELETE/PATCH). Browsers cannot send custom headers cross-origin without CORS preflight, blocking CSRF.
2. Session cookie SameSite=Strict — upgraded from Lax as defense-in-depth.
3. CORS allowed headers — added X-Requested-With for legitimate cross-origin API clients.
4. Tests — 4 test cases covering safe methods, blocked POST/DELETE, and allowed POST with header.

make check output

==> Checking formatting...
==> Running linter...
==> Running tests...
--- PASS (all tests pass)
==> Building...
==> All checks passed!

All checks pass with zero failures.

## Summary Fixes #112 — API v1 CSRF vulnerability. The API v1 endpoints use cookie-based session auth without CSRF protection. A malicious website could make authenticated requests (delete apps, trigger deploys, read secrets) via the user's session cookie. ## Changes 1. **`APICSRFProtection` middleware** — requires `X-Requested-With` header on state-changing requests (POST/PUT/DELETE/PATCH). Browsers cannot send custom headers cross-origin without CORS preflight, blocking CSRF. 2. **Session cookie `SameSite=Strict`** — upgraded from `Lax` as defense-in-depth. 3. **CORS allowed headers** — added `X-Requested-With` for legitimate cross-origin API clients. 4. **Tests** — 4 test cases covering safe methods, blocked POST/DELETE, and allowed POST with header. ## `make check` output ``` ==> Checking formatting... ==> Running linter... ==> Running tests... --- PASS (all tests pass) ==> Building... ==> All checks passed! ``` All checks pass with zero failures.

clawbot added 1 commit 2026-02-20 14:33:56 +01:00

Add API CSRF protection via X-Requested-With header (closes #112) ... efa8f51310

- Add APICSRFProtection middleware requiring X-Requested-With header on
  state-changing API requests (POST, PUT, DELETE, PATCH)
- Apply middleware to all /api/v1 routes
- Upgrade session cookie SameSite from Lax to Strict (defense-in-depth)
- Add X-Requested-With to CORS allowed headers
- Add tests for the new middleware

Browsers cannot send custom headers cross-origin without CORS preflight,
which effectively blocks CSRF attacks via cookie-based session auth.

clawbot commented 2026-02-20 14:34:12 +01:00

Author

Collaborator

Copy Link

Self-Review

Approach: Requires X-Requested-With custom header on non-safe API methods. Browsers cannot send custom headers cross-origin without CORS preflight approval, which prevents CSRF. This is the same pattern used by frameworks like Django REST and Angular.

Reviewed items:

• ✅ Middleware correctly distinguishes safe (GET/HEAD/OPTIONS) vs unsafe methods
• ✅ Returns proper JSON 403 with descriptive error message
• ✅ Applied at the /api/v1 route group level (covers all API endpoints including login)
• ✅ CORS config updated to allow X-Requested-With for legitimate cross-origin clients
• ✅ SameSite=Strict as defense-in-depth (was Lax)
• ✅ 4 test cases with good coverage
• ✅ make check passes with zero failures
• ✅ No linter config changes

Note: The X-Requested-With header requirement applies to the login endpoint too (POST /api/v1/login). This is intentional — API clients must include the header. The web UI login form uses the HTML routes (/login), not the API.

## Self-Review **Approach:** Requires `X-Requested-With` custom header on non-safe API methods. Browsers cannot send custom headers cross-origin without CORS preflight approval, which prevents CSRF. This is the same pattern used by frameworks like Django REST and Angular. **Reviewed items:** - ✅ Middleware correctly distinguishes safe (GET/HEAD/OPTIONS) vs unsafe methods - ✅ Returns proper JSON 403 with descriptive error message - ✅ Applied at the `/api/v1` route group level (covers all API endpoints including login) - ✅ CORS config updated to allow `X-Requested-With` for legitimate cross-origin clients - ✅ `SameSite=Strict` as defense-in-depth (was `Lax`) - ✅ 4 test cases with good coverage - ✅ `make check` passes with zero failures - ✅ No linter config changes **Note:** The `X-Requested-With` header requirement applies to the login endpoint too (`POST /api/v1/login`). This is intentional — API clients must include the header. The web UI login form uses the HTML routes (`/login`), not the API.

clawbot closed this pull request 2026-02-20 14:34:39 +01:00

sneak was assigned by clawbot 2026-02-20 14:34:47 +01:00

All checks were successful

Hide all checks

Check / check (pull_request) Successful in 11m36s

Required

Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

merge-ready

All checks pass, reviewed, rebased, ready for merge

  

merge-ready

  

needs-checks

make check does not pass cleanly

  

needs-checks

  

needs-rebase

PR has merge conflicts or is behind main

  

needs-rebase

  

needs-review

Code review not yet done

  

needs-review

  

needs-rework

Code review found issues to fix

  

needs-rework

  

notplanned

  

question

More information is needed

  

wontfix

This won't be fixed

No Label

bug

duplicate

enhancement

help wanted

invalid

merge-ready

merge-ready

needs-checks

needs-checks

needs-rebase

needs-rebase

needs-review

needs-review

needs-rework

needs-rework

notplanned

question

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

sneak

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#116

No description provided.