fix: Add CSRF protection

2026-03-03 14:30:16 -05:00 · 2026-03-03 14:30:16 -05:00 · 07a935f625
commit 07a935f625
parent d13801e976
3 changed files with 18 additions and 0 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1181,6 +1181,7 @@ dependencies = [
 "serde",
 "thiserror 2.0.18",
 "tower-http",
+ "tower-sec-fetch",
 "tracing",
 "validator",
 ]
@ -5799,6 +5800,18 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"

+[[package]]
+name = "tower-sec-fetch"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff1e78d241de2527d3ef67e49d65d8cb08468c644c3aafac7a988c4accd76547"
+dependencies = [
+ "futures",
+ "http",
+ "tower",
+ "tracing",
+]
+
 [[package]]
 name = "tower-service"
 version = "0.3.3"
--- a/src/web/Cargo.toml
+++ b/src/web/Cargo.toml
@ -35,6 +35,7 @@ tower-http.workspace = true
 serde.workspace = true
 memory-serve = "2.1.0"
 validator = { version = "0.20.0", features = ["derive"] }
+tower-sec-fetch = { version = "0.1.2", features = ["tracing"] }

 [build-dependencies]
 memory-serve = "2.1.0"
--- a/src/web/mod.rs
+++ b/src/web/mod.rs
@ -6,6 +6,7 @@ use axum::{
 };
 use conduwuit_service::state;
 use tower_http::set_header::SetResponseHeaderLayer;
+use tower_sec_fetch::SecFetchLayer;

 mod pages;

@ -60,4 +61,7 @@ pub fn build() -> Router<state::State> {
 			header::CONTENT_SECURITY_POLICY,
 			HeaderValue::from_static("default-src 'self'; img-src 'self' data:;"),
 		))
+		.layer(SecFetchLayer::new(|policy| {
+			policy.allow_safe_methods().reject_missing_metadata();
+		}))
 }