tower-sec-fetch

Cookieless CSRF protection library

This crate provides a Tower middleware that implements Cross-Site-Request-Forgery protection by validating the Fetch Metadata headers of the incoming HTTP request. It does not require cookies, or signing keys, or tokens.

If you're looking for a classic CSRF cookie implementation, try [tower-surf] instead.

Check the docs for more information and usage examples.

Overview

For a more in-depth explanation of the problem CSRF protection is trying to solve, and why using signed cookies is not always the best solution, refer to this excellent writeup by Filippo Valsorda.

In short, this crate allows to protect web resources from cross-site inclusion and abuse by validating the Fetch Metadata headers and ensuring that only "safe" cross-site requests are allowed. In this context, "safe" means:

• the request comes from the same origin (the site's exact scheme, host, and port), same site (any subdomain of the current domain), or are user-initiated (e.g. clicking on a bookmark, directly entering the website's address), OR...
• the request is a simple GET request coming from a navigation event (e.g. clicking on a link on another website), as long as it's not being embedded in elements like <object> or <iframe>.

Examples

The examples folder contains various examples of how to use tower-sec-fetch:

• axum: the simplest way to add CSRF protection to an Axum application.
• report-violations-and-allow: how to detect potentially unsafe requests without actually blocking them. This is useful for incrementally adopting tower-sec-fetch without breaking existing applications.
• reject-missing-metadata: disallow even requests that don't supply the Fetch Metadata. Note that this usually includes non-browser clients, and might make your website unusable for some users.

License

Licensed under either of Apache License, Version 2.0 or MIT license at your option.