Skip to content

CRSF with Sec-Fetch-Site checks#2858

Merged
aldas merged 2 commits intolabstack:masterfrom
aldas:csrf_sec_fetch_site
Dec 29, 2025
Merged

CRSF with Sec-Fetch-Site checks#2858
aldas merged 2 commits intolabstack:masterfrom
aldas:csrf_sec_fetch_site

Conversation

@aldas
Copy link
Contributor

@aldas aldas commented Dec 29, 2025
edited
Loading

@codecov
Copy link

codecov bot commented Dec 29, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 90.19608% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.51%. Comparing base (f24aaff) to head (d0b9f86).
⚠️ Report is 40 commits behind head on master.

Files with missing lines Patch % Lines
middleware/middleware.go 60.00% 1 Missing and 1 partial ⚠️
middleware/util.go 85.71% 1 Missing and 1 partial ⚠️
middleware/csrf.go 96.87% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2858      +/-   ##
==========================================
+ Coverage   93.25%   93.51%   +0.26%     
==========================================
  Files          39       42       +3     
  Lines        4652     4287     -365     
==========================================
- Hits         4338     4009     -329     
+ Misses        218      159      -59     
- Partials       96      119      +23

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@aldas
Copy link
Contributor Author

aldas commented Dec 29, 2025
edited
Loading

NB: in v4 we fall back to legacy token when Sec-Fetch-Site = same-site. In v5 same-site will be blocked as default behavior.

blocking same-site would be probably breaking change for applications that deal with requests from sub-domains.

	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
		TrustedOrigins: []string{"https://example.com", "https://subdomain.example.com"},
		
		// or custom check when request is state-changing and Sec-Fetch-Site is `cross-site` or `same-site`
		AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
			return false, echo.NewHTTPError(http.StatusForbidden, "request blocked by CSRF")
			// return true, nil  // allows CSRF request through
			// return false, nil // falls back to legacy token logic
		},
	}))

@aldas aldas merged commit d0f9d1e into labstack:master Dec 29, 2025
15 of 16 checks passed
@aldas aldas deleted the csrf_sec_fetch_site branch December 29, 2025 21:39
@aldas aldas mentioned this pull request Jan 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aldas