Skip to content

[Security] No CSRF protection on state-mutating API routes #723

Description

@RUKAYAT-CODER

Overview

POST, PATCH, and DELETE handlers across the application (notes, bookmarks, approvals, tips) do not validate a CSRF token. If session cookies are used for authentication, a malicious page visited by an authenticated user can silently submit requests to any of these endpoints and mutate data on behalf of the victim.

Specifications

Features:

  • All state-mutating API routes validate a CSRF token or use a SameSite=Strict cookie strategy
  • Cross-origin requests without a valid token are rejected with HTTP 403

Tasks:

  • Evaluate whether SameSite=Strict on the session cookie is sufficient
  • If not, implement the double-submit cookie pattern with x-csrf-token header validation
  • Add CSRF validation middleware in src/lib/csrfMiddleware.ts
  • Apply it to all non-GET handlers via src/middleware.ts

Impacted Files:

  • src/middleware.ts
  • src/lib/csrfMiddleware.ts (new)
  • src/app/api/notes/route.ts
  • src/app/api/bookmarks/route.ts
  • src/app/api/approvals/route.ts

Acceptance Criteria

  • Cross-origin POST requests without a valid CSRF token return HTTP 403
  • Same-origin requests with a valid token succeed
  • Auth endpoints are exempt as they do not require a pre-existing session

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions