fix: Add CSRF protection

Cargo.lock

@@ -1181,6 +1181,7 @@ dependencies = [
  "serde",
  "thiserror 2.0.18",
  "tower-http",
+ "tower-sec-fetch",
  "tracing",
  "validator",
 ]
@@ -5799,6 +5800,18 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"
 
+[[package]]
+name = "tower-sec-fetch"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff1e78d241de2527d3ef67e49d65d8cb08468c644c3aafac7a988c4accd76547"
+dependencies = [
+ "futures",
+ "http",
+ "tower",
+ "tracing",
+]
+
 [[package]]
 name = "tower-service"
 version = "0.3.3"

src/web/Cargo.toml

@@ -35,6 +35,7 @@ tower-http.workspace = true
 serde.workspace = true
 memory-serve = "2.1.0"
 validator = { version = "0.20.0", features = ["derive"] }
+tower-sec-fetch = { version = "0.1.2", features = ["tracing"] }
 
 [build-dependencies]
 memory-serve = "2.1.0"

src/web/mod.rs

@@ -6,6 +6,7 @@ use axum::{
 };
 use conduwuit_service::state;
 use tower_http::set_header::SetResponseHeaderLayer;
+use tower_sec_fetch::SecFetchLayer;
 
 mod pages;
 
@@ -60,4 +61,7 @@ pub fn build() -> Router<state::State> {
 			header::CONTENT_SECURITY_POLICY,
 			HeaderValue::from_static("default-src 'self'; img-src 'self' data:;"),
 		))
+		.layer(SecFetchLayer::new(|policy| {
+			policy.allow_safe_methods().reject_missing_metadata();
+		}))
 }