security: add Origin header validation for CSRF protection#413
Merged
its-me-abhishek merged 2 commits intomainfrom Jan 21, 2026
Merged
security: add Origin header validation for CSRF protection#413its-me-abhishek merged 2 commits intomainfrom
its-me-abhishek merged 2 commits intomainfrom
Conversation
Validate Origin header on state-changing requests (POST, PUT, DELETE) to provide additional CSRF protection beyond SameSite cookies. - Add isOriginAllowed() function to validate request origins - Reject requests with invalid/disallowed Origin headers on POST/PUT/DELETE - Allow localhost origins in development mode - Log rejected requests for security monitoring - Dynamic CORS header based on request origin This complements SameSite=Lax cookies for comprehensive CSRF protection. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
Thank you for opening this PR! Before a maintainer takes a look, it would be really helpful if you could walk through your changes using GitHub's review tools. Please take a moment to:
More information on how to conduct a self review: This helps make the review process smoother and gives us a clearer understanding of your thought process. Once you've added your self-review, we'll continue from our side. Thank you! |
Collaborator
its-me-abhishek
left a comment
its-me-abhishek
left a comment
There was a problem hiding this comment.
Can add w.Header().Add("Vary", "Origin") before the response, to prevent caching at all (if required) else looks okay to me.
Addresses review feedback to add the Vary header when responses differ based on the Origin header. This prevents browsers and CDNs from incorrectly caching CORS responses. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
its-me-abhishek
approved these changes
Jan 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security Issue Addressed
No CSRF Protection on POST (Low) - Previously relied only on CORS headers for protection. This PR adds explicit Origin header validation on state-changing requests.
Changes
backend/controllers/app_handlers.go:isOriginAllowed()function to validate request originsEnableCORS()to reject POST/PUT/DELETE requests from disallowed originsCSRF Protection Layers
With this PR, the application now has multiple layers of CSRF protection:
Test plan
🤖 Generated with Claude Code