sneak/upaas
1
0
Fork 0
Code Issues 14 Pull Requests 2 Actions Packages Projects Releases Wiki Activity
956a06beb3
upaas/internal/middleware
History
user 956a06beb3
All checks were successful
Check / check (pull_request) Successful in 12m25s
Details
fix: add CSRF protection to API v1 routes (closes #112) 
Add APICSRFProtection middleware that requires X-Requested-With header
on all state-changing (non-GET/HEAD/OPTIONS) API requests. This prevents
CSRF attacks since browsers won't send custom headers in cross-origin
simple requests (form posts, navigations).

Changes:
- Add APICSRFProtection() middleware in internal/middleware/middleware.go
- Apply middleware to /api/v1 route group in routes.go
- Add X-Requested-With to CORS allowed headers
- Add unit tests for the middleware (csrf_test.go)
- Add integration tests for CSRF rejection/allowance (api_test.go)
- Update existing API tests to include the required header
2026-02-20 05:34:25 -08:00
..
cors_test.go fix: restrict CORS to configured origins (closes #40) 2026-02-19 13:45:18 -08:00
csrf_test.go fix: add CSRF protection to API v1 routes (closes #112) 2026-02-20 05:34:25 -08:00
middleware.go fix: add CSRF protection to API v1 routes (closes #112) 2026-02-20 05:34:25 -08:00
ratelimit_test.go fix: resolve all golangci-lint issues 2026-02-15 21:55:24 -08:00
realip_test.go fix: only trust proxy headers from RFC1918/loopback sources (closes #44) 2026-02-15 22:01:54 -08:00