umputun / secrets

84%

master: 84%

LAST BUILD ON BRANCH feat/csrf-protection

branch: SELECT

CHANGE BRANCH

x

Sync Branches

• No branch selected
• add-shell-completions
• audit-logging-improvements
• auth-for-link-generation
• bump-ver
• bump_modules
• ciphertext-format-validation
• csp-inline-scripts-elimination
• dependabot
• dependabot/github_actions/github-actions-updates-167a898cab
• dependabot/github_actions/github-actions-updates-2d3733e69a
• dependabot/github_actions/github-actions-updates-35b2a8182b
• dependabot/github_actions/github-actions-updates-822744b99e
• dependabot/github_actions/github-actions-updates-900e03fd4a
• dependabot/github_actions/github-actions-updates-b48345356d
• dependabot/github_actions/github-actions-updates-c0bc7ccf5f
• dependabot/go_modules/github.com/go-pkgz/lgr-0.12.2
• dependabot/go_modules/github.com/go-pkgz/lgr-0.12.3
• dependabot/go_modules/github.com/go-pkgz/rest-1.21.0
• dependabot/go_modules/github.com/go-pkgz/routegroup-1.6.0
• dependabot/go_modules/github.com/playwright-community/playwright-go-0.5700.0
• dependabot/go_modules/github.com/playwright-community/playwright-go-0.5700.1
• dependabot/go_modules/github.com/stretchr/testify-1.11.0
• dependabot/go_modules/go-modules-updates-1bff98da5a
• dependabot/go_modules/go-modules-updates-3f2513770d
• dependabot/go_modules/go-modules-updates-709908b018
• dependabot/go_modules/go-modules-updates-891cda64be
• dependabot/go_modules/go-modules-updates-acb2299ea6
• dependabot/go_modules/go-modules-updates-be53f05598
• dependabot/go_modules/go-modules-updates-dc9768f38b
• dependabot/go_modules/go-modules-updates-dd7da38a6b
• dependabot/go_modules/golang.org/x/crypto-0.17.0
• dependabot/go_modules/golang.org/x/crypto-0.31.0
• dependabot/go_modules/golang.org/x/crypto-0.41.0
• dependabot/go_modules/golang.org/x/crypto-0.43.0
• dependabot/go_modules/golang.org/x/crypto-0.44.0
• dependabot/go_modules/golang.org/x/crypto-0.46.0
• dependabot/go_modules/golang.org/x/crypto-0.47.0
• dependabot/go_modules/golang.org/x/crypto-0.48.0
• dependabot/go_modules/golang.org/x/crypto-0.49.0
• dependabot/go_modules/golang.org/x/crypto-0.50.0
• dependabot/go_modules/modernc.org/sqlite-1.42.2
• dependabot/go_modules/modernc.org/sqlite-1.48.1
• dependabot/go_modules/modernc.org/sqlite-1.48.2
• dependabot/npm_and_yarn/frontend/copy-props-2.0.5
• dependabot/npm_and_yarn/frontend/decode-uri-component-0.2.2
• dependabot/npm_and_yarn/frontend/engine.io-and-browser-sync-6.2.1
• dependabot/npm_and_yarn/frontend/follow-redirects-1.14.8
• dependabot/npm_and_yarn/frontend/ini-1.3.8
• dependabot/npm_and_yarn/frontend/lodash-4.17.19
• dependabot/npm_and_yarn/frontend/minimist-1.2.6
• dependabot/npm_and_yarn/frontend/socket.io-parser-3.3.3
• dependabot/npm_and_yarn/frontend/ua-parser-js-0.7.33
• e2e-tests
• feat/csrf-protection
• feat/file-upload
• feat/file-upload-v2
• feat/ui-redesign
• feature/email-sharing
• feature/paranoid-mode-sqlite
• fix-content-type-header
• fix/file-upload-review-fixes
• fix/filename-wrapping
• humanDuration-fix
• hybrid-encryption-mode
• increase-test-coverage
• issue-31-new-ui
• issue-40-fix-http
• issue-refactor-for-issue-40
• master
• migrate-router-to-routegroup
• modern
• modern-ui-redesign
• multiple-domains
• optional-pin
• paskal/dependabot-security-updates
• paskal/fix_golangci_lint
• refs/tags/v1.0.0
• refs/tags/v1.0.1
• refs/tags/v1.1.0
• refs/tags/v1.2.0
• refs/tags/v1.2.1
• refs/tags/v1.2.2
• refs/tags/v1.2.3
• refs/tags/v1.2.4
• refs/tags/v1.3.0
• refs/tags/v1.4.0
• refs/tags/v1.4.1
• refs/tags/v1.4.2
• refs/tags/v1.4.3
• refs/tags/v1.4.4
• refs/tags/v1.4.5
• refs/tags/v1.5.0
• refs/tags/v1.5.1
• refs/tags/v1.6.0
• refs/tags/v1.6.1
• refs/tags/v1.6.2
• refs/tags/v1.6.3
• refs/tags/v1.7.0
• refs/tags/v1.7.1
• refs/tags/v1.8.0
• refs/tags/v1.8.1
• refs/tags/v1.9.0
• refs/tags/v1.9.1
• refs/tags/v1.9.2
• refs/tags/v1.9.3
• refs/tags/v2.0.0
• refs/tags/v2.1.0
• refs/tags/v2.2.0
• refs/tags/v2.2.1
• refs/tags/v2.2.2
• refs/tags/v2.2.3
• refs/tags/v2.2.4
• refs/tags/v2.2.5
• refs/tags/v2.2.6
• remove-old-frontend
• seo-improvements

Build # 24543050828

Build Type

Pull #119

github

Committed by paskal

Commit Message

Wrap router with http.CrossOriginProtection for CSRF defence

Add Go 1.25's http.NewCrossOriginProtection().Handler to the global
middleware chain. Previously the only CSRF defence was SameSite=Strict
on the session cookie, which Firefox does not enforce by default and
which subdomain attacks can bypass.

The middleware checks Sec-Fetch-Site (forbidden header, set by all
major browsers since 2023) with an Origin/Host fallback. Safe methods
and non-browser POSTs (no Sec-Fetch-Site header, e.g. curl/scripts
hitting /api/v1/) pass through unchanged.

Pull Request Pull Request #119: Wrap router with http.CrossOriginProtection for CSRF defence

Coverage Stats

1 of 1 new or added line in 1 file covered. (100.0%)

1705 of 2036 relevant lines covered (83.74%)

76.23 hits per line