upaas

History

user efa8f51310 All checks were successful Check / check (pull_request) Successful in 11m36s Details Add API CSRF protection via X-Requested-With header (closes #112 ) - Add APICSRFProtection middleware requiring X-Requested-With header on state-changing API requests (POST, PUT, DELETE, PATCH) - Apply middleware to all /api/v1 routes - Upgrade session cookie SameSite from Lax to Strict (defense-in-depth) - Add X-Requested-With to CORS allowed headers - Add tests for the new middleware Browsers cannot send custom headers cross-origin without CORS preflight, which effectively blocks CSRF attacks via cookie-based session auth.	2026-02-20 05:33:33 -08:00
..
routes.go	Add API CSRF protection via X-Requested-With header (closes #112 )	2026-02-20 05:33:33 -08:00
server.go	Initial commit with server startup infrastructure	2025-12-29 15:46:03 +07:00

Check / check (pull_request) Successful in 11m36s

Details

Add API CSRF protection via X-Requested-With header (closes #112 )

- Add APICSRFProtection middleware requiring X-Requested-With header on
  state-changing API requests (POST, PUT, DELETE, PATCH)
- Apply middleware to all /api/v1 routes
- Upgrade session cookie SameSite from Lax to Strict (defense-in-depth)
- Add X-Requested-With to CORS allowed headers
- Add tests for the new middleware

Browsers cannot send custom headers cross-origin without CORS preflight,
which effectively blocks CSRF attacks via cookie-based session auth.

2026-02-20 05:33:33 -08:00

routes.go

Add API CSRF protection via X-Requested-With header (closes #112 )

2026-02-20 05:33:33 -08:00

server.go

Initial commit with server startup infrastructure

2025-12-29 15:46:03 +07:00