fix: add CSRF protection to API v1 routes (closes #112) #117

Closed

clawbot wants to merge 1 commits from fix/api-csrf-protection into main

Author	SHA1	Message	Date
user	956a06beb3	fix: add CSRF protection to API v1 routes (closes #112 ) All checks were successful Check / check (pull_request) Successful in 12m25s Details Add APICSRFProtection middleware that requires X-Requested-With header on all state-changing (non-GET/HEAD/OPTIONS) API requests. This prevents CSRF attacks since browsers won't send custom headers in cross-origin simple requests (form posts, navigations). Changes: - Add APICSRFProtection() middleware in internal/middleware/middleware.go - Apply middleware to /api/v1 route group in routes.go - Add X-Requested-With to CORS allowed headers - Add unit tests for the middleware (csrf_test.go) - Add integration tests for CSRF rejection/allowance (api_test.go) - Update existing API tests to include the required header	2026-02-20 05:34:25 -08:00

Author

SHA1

Message

Date

user

956a06beb3

fix: add CSRF protection to API v1 routes (closes #112 )

Check / check (pull_request) Successful in 12m25s

Details

Add APICSRFProtection middleware that requires X-Requested-With header
on all state-changing (non-GET/HEAD/OPTIONS) API requests. This prevents
CSRF attacks since browsers won't send custom headers in cross-origin
simple requests (form posts, navigations).

Changes:
- Add APICSRFProtection() middleware in internal/middleware/middleware.go
- Apply middleware to /api/v1 route group in routes.go
- Add X-Requested-With to CORS allowed headers
- Add unit tests for the middleware (csrf_test.go)
- Add integration tests for CSRF rejection/allowance (api_test.go)
- Update existing API tests to include the required header

2026-02-20 05:34:25 -08:00

fix: add CSRF protection to API v1 routes (closes #112) #117

1 Commits