tower-csrf

This is experimental middleware for tower. It has not received a formal audit.

It provides modern CSRF protection as outlined in a blogpost by Filippo Valsorda, discussing the research background for integrating CSRF protection in Go 1.25's net/http.

This repository has been discussed in tower and the axum project respectively.

This boils down to (quoting from the blog):

1. Allow all GET, HEAD, or OPTIONS requests - this implied that no relevant state changes are performed at endpoints behind such safe methods
2. If the Origin header matches an allow-list of trusted origins, allow the request
3. If the Sec-Fetch-Site header is present and the value is same-origin or none, allow the request, otherwise reject
4. If neither the Sec-Fetch-Site nor the Origin headers are present, allow the request
5. If the Origin header’s host (including the port) matches the Host header, allow the request, otherwise reject it

See tests/csrf.rs for an example using Axum.