Skip to content

security: add CSRF token protection (signed double-submit cookie)#702

Merged
lane711 merged 1 commit intomainfrom
merge-pr-668-csrf-protection
Mar 26, 2026
Merged

security: add CSRF token protection (signed double-submit cookie)#702
lane711 merged 1 commit intomainfrom
merge-pr-668-csrf-protection

Conversation

@lane711
Copy link
Copy Markdown
Collaborator

@lane711 lane711 commented Mar 26, 2026

Summary

Cherry-picked from #668 by @mmcintosh

Adds CSRF token protection using a signed double-submit cookie pattern to protect against cross-site request forgery attacks.

Attribution

Closes #668

🤖 Generated with Claude Code

@mmcintosh @lane711
security: add CSRF token protection (signed double-submit cookie)
2a8274f 
Add stateless CSRF protection using the Signed Double-Submit Cookie
pattern with HMAC-SHA256 signatures keyed on JWT_SECRET.

- New csrf.ts middleware: generates/validates signed tokens
- Token format: <nonce>.<hmac_signature>, base64url-encoded
- Header validation (X-CSRF-Token) with form body fallback (_csrf)
- Exempt: safe methods, auth routes, public forms, bearer-only requests
- Admin layout auto-attaches tokens to HTMX and fetch requests
- 40 unit tests + E2E test updates for CSRF compatibility

Fixes VULN-006
@lane711 lane711 merged commit 8bb8893 into main Mar 26, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lane711 @mmcintosh