Skip to content

CRSF with Sec-Fetch-Site checks #2858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aldas merged 2 commits into from
Dec 29, 2025
Merged

CRSF with Sec-Fetch-Site checks #2858

aldas merged 2 commits into from
Dec 29, 2025
+842 −40

Conversation

@aldas
Copy link
Contributor

@aldas aldas commented Dec 29, 2025
edited
Loading

@codecov
Copy link

codecov bot commented Dec 29, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 90.19608% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.51%. Comparing base (f24aaff) to head (d0b9f86).
⚠️ Report is 40 commits behind head on master.

Files with missing lines Patch % Lines
middleware/middleware.go 60.00% 1 Missing and 1 partial ⚠️
middleware/util.go 85.71% 1 Missing and 1 partial ⚠️
middleware/csrf.go 96.87% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2858      +/-   ##
==========================================
+ Coverage   93.25%   93.51%   +0.26%     
==========================================
  Files          39       42       +3     
  Lines        4652     4287     -365     
==========================================
- Hits         4338     4009     -329     
+ Misses        218      159      -59     
- Partials       96      119      +23

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@aldas
Copy link
Contributor Author

aldas commented Dec 29, 2025
edited
Loading

NB: in v4 we fall back to legacy token when Sec-Fetch-Site = same-site. In v5 same-site will be blocked as default behavior.

blocking same-site would be probably breaking change for applications that deal with requests from sub-domains.

	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
		TrustedOrigins: []string{"https://example.com", "https://subdomain.example.com"},
		
		// or custom check when request is state-changing and Sec-Fetch-Site is `cross-site` or `same-site`
		AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
			return false, echo.NewHTTPError(http.StatusForbidden, "request blocked by CSRF")
			// return true, nil  // allows CSRF request through
			// return false, nil // falls back to legacy token logic
		},
	}))

@aldas aldas merged commit d0f9d1e into labstack:master Dec 29, 2025
15 of 16 checks passed
@aldas aldas deleted the csrf_sec_fetch_site branch December 29, 2025 21:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aldas