Pierre-Olivier Mercier
8933055358
In development mode (-dev): - HSTS header is omitted (prevents browser caching HTTPS-only requirement) - CSRF cookie Secure flag is cleared (allows cookies over plain HTTP) - A warning is logged on startup Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
40 lines
872 B
Go
40 lines
872 B
Go
package main
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"net/http"
|
|
)
|
|
|
|
func generateCSRFToken() (string, error) {
|
|
b := make([]byte, 32)
|
|
if _, err := rand.Read(b); err != nil {
|
|
return "", err
|
|
}
|
|
return base64.URLEncoding.EncodeToString(b), nil
|
|
}
|
|
|
|
func setCSRFToken(w http.ResponseWriter) (string, error) {
|
|
token, err := generateCSRFToken()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "csrf_token",
|
|
Value: token,
|
|
Path: "/",
|
|
HttpOnly: false, // must be readable via form hidden field comparison
|
|
SameSite: http.SameSiteStrictMode,
|
|
Secure: !devMode,
|
|
})
|
|
return token, nil
|
|
}
|
|
|
|
func validateCSRF(r *http.Request) bool {
|
|
cookie, err := r.Cookie("csrf_token")
|
|
if err != nil || cookie.Value == "" {
|
|
return false
|
|
}
|
|
formToken := r.PostFormValue("csrf_token")
|
|
return formToken != "" && cookie.Value == formToken
|
|
}
|