Overview
POST, PATCH, and DELETE handlers across the application (notes, bookmarks, approvals, tips) do not validate a CSRF token. If session cookies are used for authentication, a malicious page visited by an authenticated user can silently submit requests to any of these endpoints and mutate data on behalf of the victim.
Specifications
Features:
- All state-mutating API routes validate a CSRF token or use a
SameSite=Strict cookie strategy
- Cross-origin requests without a valid token are rejected with HTTP 403
Tasks:
- Evaluate whether
SameSite=Strict on the session cookie is sufficient
- If not, implement the double-submit cookie pattern with
x-csrf-token header validation
- Add CSRF validation middleware in
src/lib/csrfMiddleware.ts
- Apply it to all non-GET handlers via
src/middleware.ts
Impacted Files:
src/middleware.ts
src/lib/csrfMiddleware.ts (new)
src/app/api/notes/route.ts
src/app/api/bookmarks/route.ts
src/app/api/approvals/route.ts
Acceptance Criteria
- Cross-origin POST requests without a valid CSRF token return HTTP 403
- Same-origin requests with a valid token succeed
- Auth endpoints are exempt as they do not require a pre-existing session
Overview
POST, PATCH, and DELETE handlers across the application (notes, bookmarks, approvals, tips) do not validate a CSRF token. If session cookies are used for authentication, a malicious page visited by an authenticated user can silently submit requests to any of these endpoints and mutate data on behalf of the victim.
Specifications
Features:
SameSite=Strictcookie strategyTasks:
SameSite=Stricton the session cookie is sufficientx-csrf-tokenheader validationsrc/lib/csrfMiddleware.tssrc/middleware.tsImpacted Files:
src/middleware.tssrc/lib/csrfMiddleware.ts(new)src/app/api/notes/route.tssrc/app/api/bookmarks/route.tssrc/app/api/approvals/route.tsAcceptance Criteria