built-in CSRF protect

[Niccolum]

First Check

• I added a very descriptive title to this issue.
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

from fastapi import FastAPI

app = FastAPI()


@app.get("/")
def read_root():
    return {"Hello": "World"}

@app.post("/")
def post_root():
    with open("some_data", 'w') as f:
        f.write("superimportant_data")

Description

Now we have plugin fastapi_csrf_protect, but it looks like strange. Just see code here:

https://www.stackhawk.com/blog/csrf-protection-in-fastapi/

Wanted Solution

Feature request for built-in csrf settings, which will looks like cors - as middleware.

Just something like https://github.com/frankie567/starlette-csrf, but built-in fastapi

Wanted Code

from fastapi import FastAPI
from fastapi.middlewares import CSRFMiddleware

from app.core import app_config

app = FastAPI()
app.add_middleware(CSRFMiddleware, secret="__CHANGE_ME__")

@app.get("/")
def read_root():
    return {"Hello": "World"}

@app.post("/", csrf_token=True) # by default
def post_root():
    with open("secure_file", 'w') as f:
        f.write("superimportant_data")

@app.post("/access_post_without_csrf/", csrf_token=False) 
    with open("unsecure_file", 'w') as f:
        f.write("some_data")

Alternatives

https://github.com/frankie567/starlette-csrf

Operating System

Linux, Windows, macOS

Operating System Details

No response

FastAPI Version

latest

Python Version

3.10.1

Additional Context

No response

[gnat]

FastAPI community is welcome to use my code: https://github.com/gnat/csrf-starlette-fastapi/blob/main/csrf_middleware.py

50 lines.

See: https://github.com/gnat/csrf-starlette-fastapi#why-you-may-not-need-a-csrf-middleware-in-2022

[Niccolum]

FastAPI community is welcome to use my code: https://github.com/gnat/csrf-starlette-fastapi/blob/main/csrf_middleware.py

~50 lines.

It's good, that you have your own implementation. But I said about built-in support. How it's important we can see in similar issue in starlette, which now is discussion.
Kludex/starlette#1411

[BigSamu]

+1. This will be a really good enhancement for the framework

[gnat]

Update- why you don't need a middleware for CSRF in 2022: https://github.com/gnat/csrf-starlette-fastapi#why-you-may-not-need-a-csrf-middleware-in-2022

tl;dr: Browsers have improved enough that you can use a dual-cookie system: one lax, one strict.

[Niccolum]

@gnat it's okay for newer browsers. What about older?

Also, not protected with subdomain attack

[mecampbellsoup]

Just something like frankie567/starlette-csrf, but built-in fastapi

Why can't one just use the starlette middleware?