Expand description
Modern protection against cross-site request forgery (CSRF) attacks,
This is experimental middleware for Tower. It provides modern CSRF protection as outlined in a blogpost by Filippo Valsorda, discussing the research background for integrating CSRF protection in Go 1.25’s net/http.
This boils down to (quoting from the blog):
- Allow all GET, HEAD, or OPTIONS requests
- If the Origin header matches an allow-list of trusted origins, allow the request
- If the Sec-Fetch-Site header is present and the value is
same-originornone, allow the request, otherwise reject - If neither the Sec-Fetch-Site nor the Origin headers are present, allow the request
- If the Origin header’s host (including the port) matches the Host header, allow the request, otherwise reject it
The crate uses tracing to log passed requests and configuration changes. Errors are not logged, just pass through the chain.
Structs§
- Cross
Origin Protection Layer - Decorates a HTTP service with CSRF protection.
- Cross
Origin Protection Middleware - CSRF protection middleware for HTTP requests.
Enums§
- Config
Error - Errors that can occur during configuration of the layer.
- Protection
Error - Errors that can occur during request processing of the middleware.