From 07a935f625f035bfa6fd1d93e1116a7b88cb05b0 Mon Sep 17 00:00:00 2001 From: Ginger Date: Tue, 3 Mar 2026 14:30:16 -0500 Subject: [PATCH] fix: Add CSRF protection --- Cargo.lock | 13 +++++++++++++ src/web/Cargo.toml | 1 + src/web/mod.rs | 4 ++++ 3 files changed, 18 insertions(+) diff --git a/Cargo.lock b/Cargo.lock index cac9afe1..f46f96c8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1181,6 +1181,7 @@ dependencies = [ "serde", "thiserror 2.0.18", "tower-http", + "tower-sec-fetch", "tracing", "validator", ] @@ -5799,6 +5800,18 @@ version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e" +[[package]] +name = "tower-sec-fetch" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff1e78d241de2527d3ef67e49d65d8cb08468c644c3aafac7a988c4accd76547" +dependencies = [ + "futures", + "http", + "tower", + "tracing", +] + [[package]] name = "tower-service" version = "0.3.3" diff --git a/src/web/Cargo.toml b/src/web/Cargo.toml index bc729f92..fa3243f4 100644 --- a/src/web/Cargo.toml +++ b/src/web/Cargo.toml @@ -35,6 +35,7 @@ tower-http.workspace = true serde.workspace = true memory-serve = "2.1.0" validator = { version = "0.20.0", features = ["derive"] } +tower-sec-fetch = { version = "0.1.2", features = ["tracing"] } [build-dependencies] memory-serve = "2.1.0" diff --git a/src/web/mod.rs b/src/web/mod.rs index 302afc21..b0987d9a 100644 --- a/src/web/mod.rs +++ b/src/web/mod.rs @@ -6,6 +6,7 @@ use axum::{ }; use conduwuit_service::state; use tower_http::set_header::SetResponseHeaderLayer; +use tower_sec_fetch::SecFetchLayer; mod pages; @@ -60,4 +61,7 @@ pub fn build() -> Router { header::CONTENT_SECURITY_POLICY, HeaderValue::from_static("default-src 'self'; img-src 'self' data:;"), )) + .layer(SecFetchLayer::new(|policy| { + policy.allow_safe_methods().reject_missing_metadata(); + })) }