fix: add CSRF protection to API v1 routes (closes #112) #117
No reviewers
Labels
No Label
bug
duplicate
enhancement
help wanted
invalid
merge-ready
merge-ready
needs-checks
needs-checks
needs-rebase
needs-rebase
needs-review
needs-review
needs-rework
needs-rework
notplanned
question
wontfix
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: sneak/upaas#117
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "fix/api-csrf-protection"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Add CSRF protection to API v1 routes by requiring
X-Requested-Withheader on all state-changing requests (POST, PUT, DELETE). Browsers will not send custom headers in cross-origin simple requests, blocking CSRF attacks.Closes #112
Changes
APICSRFProtection()middleware requiringX-Requested-Withheader on non-GET/HEAD/OPTIONS requests/api/v1route groupX-Requested-Withto CORS allowed headerscsrf_test.go) and integration testsmake checkoutputPull request closed