sneak/upaas
1
0
Fork 0
Code Issues 14 Pull Requests 2 Actions Packages Projects Releases Wiki Activity
efa8f51310
upaas/internal/middleware
History
user efa8f51310
All checks were successful
Check / check (pull_request) Successful in 11m36s
Details
Add API CSRF protection via X-Requested-With header (closes #112) 
- Add APICSRFProtection middleware requiring X-Requested-With header on
  state-changing API requests (POST, PUT, DELETE, PATCH)
- Apply middleware to all /api/v1 routes
- Upgrade session cookie SameSite from Lax to Strict (defense-in-depth)
- Add X-Requested-With to CORS allowed headers
- Add tests for the new middleware

Browsers cannot send custom headers cross-origin without CORS preflight,
which effectively blocks CSRF attacks via cookie-based session auth.
2026-02-20 05:33:33 -08:00
..
apicsrf_test.go Add API CSRF protection via X-Requested-With header (closes #112) 2026-02-20 05:33:33 -08:00
cors_test.go fix: restrict CORS to configured origins (closes #40) 2026-02-19 13:45:18 -08:00
middleware.go Add API CSRF protection via X-Requested-With header (closes #112) 2026-02-20 05:33:33 -08:00
ratelimit_test.go fix: resolve all golangci-lint issues 2026-02-15 21:55:24 -08:00
realip_test.go fix: only trust proxy headers from RFC1918/loopback sources (closes #44) 2026-02-15 22:01:54 -08:00