24543050828
84%
master: 84%

Ran 17 Apr 2026 01:32AM UTC

Jobs 1

Files 15

Run time 1min

Badge

Embed ▾

Committed 17 Apr 2026 01:30AM UTC coverage: 83.743% (+0.008%) from 83.735%

Build # 24543050828

Build Type

Pull #119

github

Committed by

paskal

Commit Message

Wrap router with http.CrossOriginProtection for CSRF defence

Add Go 1.25's http.NewCrossOriginProtection().Handler to the global
middleware chain. Previously the only CSRF defence was SameSite=Strict
on the session cookie, which Firefox does not enforce by default and
which subdomain attacks can bypass.

The middleware checks Sec-Fetch-Site (forbidden header, set by all
major browsers since 2023) with an Origin/Host fallback. Safe methods
and non-browser POSTs (no Sec-Fetch-Site header, e.g. curl/scripts
hitting /api/v1/) pass through unchanged.

Pull Request Pull Request #119: Wrap router with http.CrossOriginProtection for CSRF defence

Coverage Stats

1 of 1 new or added line in 1 file covered. (100.0%)

1705 of 2036 relevant lines covered (83.74%)

76.23 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	24543050828.1	17 Apr 2026 01:32AM UTC	15	83.74	GitHub Action Run

umputun / secrets / 24543050828
84%
master: 84%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 24543050828

umputun / secrets / 24543050828 84% master: 84%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 24543050828

umputun / secrets / 24543050828
84%
master: 84%

README BADGES
x