umputun / tg-spam / 24545188010

83%

push

github

Wrap webapi router with http.CrossOriginProtection for CSRF defence

Add Go 1.25's http.NewCrossOriginProtection().Handler to the webapi
middleware chain. Previously the only protection on POST/PUT/DELETE
endpoints was HTTP basic auth, which the browser will replay on
cross-origin requests once credentials are cached. With the htmx UI
performing many state-changing operations (POST /spam, /ham,
/users/add, /dictionary/add, PUT /samples, etc), this left the
webapi vulnerable to CSRF.

The middleware checks Sec-Fetch-Site (forbidden header, set by all
major browsers since 2023) with an Origin/Host fallback. Same-origin
htmx requests pass through unchanged; non-browser API consumers (no
Sec-Fetch-Site header) also pass through.

1 of 1 new or added line in 1 file covered. (100.0%)

6986 of 8428 relevant lines covered (82.89%)

257.62 hits per line