upaas

History

user 956a06beb3 All checks were successful Check / check (pull_request) Successful in 12m25s Details fix: add CSRF protection to API v1 routes (closes #112 ) Add APICSRFProtection middleware that requires X-Requested-With header on all state-changing (non-GET/HEAD/OPTIONS) API requests. This prevents CSRF attacks since browsers won't send custom headers in cross-origin simple requests (form posts, navigations). Changes: - Add APICSRFProtection() middleware in internal/middleware/middleware.go - Apply middleware to /api/v1 route group in routes.go - Add X-Requested-With to CORS allowed headers - Add unit tests for the middleware (csrf_test.go) - Add integration tests for CSRF rejection/allowance (api_test.go) - Update existing API tests to include the required header	2026-02-20 05:34:25 -08:00
..
routes.go	fix: add CSRF protection to API v1 routes (closes #112 )	2026-02-20 05:34:25 -08:00
server.go	Initial commit with server startup infrastructure	2025-12-29 15:46:03 +07:00

Check / check (pull_request) Successful in 12m25s

Details

fix: add CSRF protection to API v1 routes (closes #112 )

Add APICSRFProtection middleware that requires X-Requested-With header
on all state-changing (non-GET/HEAD/OPTIONS) API requests. This prevents
CSRF attacks since browsers won't send custom headers in cross-origin
simple requests (form posts, navigations).

Changes:
- Add APICSRFProtection() middleware in internal/middleware/middleware.go
- Apply middleware to /api/v1 route group in routes.go
- Add X-Requested-With to CORS allowed headers
- Add unit tests for the middleware (csrf_test.go)
- Add integration tests for CSRF rejection/allowance (api_test.go)
- Update existing API tests to include the required header

2026-02-20 05:34:25 -08:00

routes.go

fix: add CSRF protection to API v1 routes (closes #112 )

2026-02-20 05:34:25 -08:00

server.go

Initial commit with server startup infrastructure

2025-12-29 15:46:03 +07:00