1
84%
master: 84%

Ran 17 Apr 2026 01:32AM UTC

Files 15

Run time 0s

Badge

Embed ▾

Committed 17 Apr 2026 01:30AM UTC coverage: 83.743% (+0.008%) from 83.735%

Job # 24543050828.1

Build Type

Pull #119

github

Committed by

paskal

Commit Message

Wrap router with http.CrossOriginProtection for CSRF defence

Add Go 1.25's http.NewCrossOriginProtection().Handler to the global
middleware chain. Previously the only CSRF defence was SameSite=Strict
on the session cookie, which Firefox does not enforce by default and
which subdomain attacks can bypass.

The middleware checks Sec-Fetch-Site (forbidden header, set by all
major browsers since 2023) with an Origin/Host fallback. Safe methods
and non-browser POSTs (no Sec-Fetch-Site header, e.g. curl/scripts
hitting /api/v1/) pass through unchanged.

Pull Request Pull Request #119: Wrap router with http.CrossOriginProtection for CSRF defence

Coverage Stats

1705 of 2036 relevant lines covered (83.74%)

76.23 hits per line

umputun / secrets / 24543050828 / 1
84%
master: 84%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 24543050828.1

umputun / secrets / 24543050828 / 1 84% master: 84%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 24543050828.1

umputun / secrets / 24543050828 / 1
84%
master: 84%

README BADGES
x