Add API CSRF protection via X-Requested-With header (closes #112) #116
Closed
clawbot
wants to merge 1 commits from
fix/112-api-csrf-protection into main
pull from: fix/112-api-csrf-protection
merge into: sneak:main
sneak:main
sneak:fix/audit-bugs-120-125
sneak:fix/1.0-audit-bugs
sneak:refactor/split-app-js
sneak:fix/disable-api-write-methods
sneak:chore/code-cleanup
sneak:ci/check-workflow-only
sneak:fix/repo-url-validation
sneak:fix/main-lint-issues
sneak:feature/api-token-auth
sneak:revert/pr-98
sneak:feat/ci-make-check
sneak:ci/add-check-action
sneak:fix/deploy-cancel-cleanup
sneak:schema-consolidation
sneak:feature/json-api
sneak:chore/update-todo
sneak:feature/edit-config-entities
sneak:feature/deployment-rollback-tests
sneak:update-todo-md
sneak:feature/edit-entities
sneak:feature/deployment-rollback
sneak:feature/deploy-cancel
1 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
user
|
efa8f51310 |
Add API CSRF protection via X-Requested-With header (closes #112)
All checks were successful
Check / check (pull_request) Successful in 11m36s
- Add APICSRFProtection middleware requiring X-Requested-With header on state-changing API requests (POST, PUT, DELETE, PATCH) - Apply middleware to all /api/v1 routes - Upgrade session cookie SameSite from Lax to Strict (defense-in-depth) - Add X-Requested-With to CORS allowed headers - Add tests for the new middleware Browsers cannot send custom headers cross-origin without CORS preflight, which effectively blocks CSRF attacks via cookie-based session auth. |