upaas

History

user efa8f51310 All checks were successful Check / check (pull_request) Successful in 11m36s Details Add API CSRF protection via X-Requested-With header (closes #112 ) - Add APICSRFProtection middleware requiring X-Requested-With header on state-changing API requests (POST, PUT, DELETE, PATCH) - Apply middleware to all /api/v1 routes - Upgrade session cookie SameSite from Lax to Strict (defense-in-depth) - Add X-Requested-With to CORS allowed headers - Add tests for the new middleware Browsers cannot send custom headers cross-origin without CORS preflight, which effectively blocks CSRF attacks via cookie-based session auth.	2026-02-20 05:33:33 -08:00
..
auth_test.go	fix: set DestroySession MaxAge to -1 instead of -1*time.Second (closes #39 )	2026-02-15 22:07:57 -08:00
auth.go	Add API CSRF protection via X-Requested-With header (closes #112 )	2026-02-20 05:33:33 -08:00

Check / check (pull_request) Successful in 11m36s

Details

Add API CSRF protection via X-Requested-With header (closes #112 )

- Add APICSRFProtection middleware requiring X-Requested-With header on
  state-changing API requests (POST, PUT, DELETE, PATCH)
- Apply middleware to all /api/v1 routes
- Upgrade session cookie SameSite from Lax to Strict (defense-in-depth)
- Add X-Requested-With to CORS allowed headers
- Add tests for the new middleware

Browsers cannot send custom headers cross-origin without CORS preflight,
which effectively blocks CSRF attacks via cookie-based session auth.

2026-02-20 05:33:33 -08:00

auth_test.go

fix: set DestroySession MaxAge to -1 instead of -1*time.Second (closes #39 )

2026-02-15 22:07:57 -08:00

auth.go

Add API CSRF protection via X-Requested-With header (closes #112 )

2026-02-20 05:33:33 -08:00