Merge branch 'main' into member-email-search

getfider · Jun 28, 2024 · 348923c · 348923c
2 parents 35ef53e + e55a144
commit 348923c
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/app/cmd/routes.go b/app/cmd/routes.go
@@ -34,6 +34,7 @@ func routes(r *web.Engine) *web.Engine {
 	})
 
 	r.Use(middlewares.Secure())
+	r.Use(middlewares.CSRF())
 	r.Use(middlewares.Compress())
 
 	assets := r.Group()

diff --git a/app/middlewares/security.go b/app/middlewares/security.go
@@ -28,3 +28,16 @@ func Secure() web.MiddlewareFunc {
 		}
 	}
 }
+
+// Secure middleware is responsible for blocking CSRF attacks
+func CSRF() web.MiddlewareFunc {
+	return func(next web.HandlerFunc) web.HandlerFunc {
+		return func(c *web.Context) error {
+			var isWriteRequest = c.Request.Method == "POST" || c.Request.Method == "PUT" || c.Request.Method == "DELETE"
+			if isWriteRequest && !c.IsAjax() {
+				return c.Forbidden()
+			}
+			return next(c)
+		}
+	}
+}