Skip to content

yawn/tower-csrf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

tower-csrf

CI

This is experimental middleware for tower. It has not received a formal audit.

It provides modern CSRF protection as outlined in a blogpost by Filippo Valsorda, discussing the research background for integrating CSRF protection in Go 1.25's net/http.

This repository has been discussed in tower and the axum project respectively.

This boils down to (quoting from the blog):

  1. Allow all GET, HEAD, or OPTIONS requests - this implied that no relevant state changes are performed at endpoints behind such safe methods
  2. If the Origin header matches an allow-list of trusted origins, allow the request
  3. If the Sec-Fetch-Site header is present and the value is same-origin or none, allow the request, otherwise reject
  4. If neither the Sec-Fetch-Site nor the Origin headers are present, allow the request
  5. If the Origin header’s host (including the port) matches the Host header, allow the request, otherwise reject it

See tests/csrf.rs for an example using Axum.

About

Go 1.25+ CSRF middleware port for Rust Tower

Topics

csrf-protection tower

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Languages