CSRFConfig defines the config for CSRF middleware.
| 24 | |
| 25 | // CSRFConfig defines the config for CSRF middleware. |
| 26 | type CSRFConfig struct { |
| 27 | // Skipper defines a function to skip middleware. |
| 28 | Skipper Skipper |
| 29 | // TrustedOrigins permits any request with `Sec-Fetch-Site` header whose `Origin` header |
| 30 | // exactly matches a configured origin. |
| 31 | // Values should be formatted as Origin header "scheme://host[:port]". |
| 32 | // |
| 33 | // See [Origin]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin |
| 34 | // See [Sec-Fetch-Site]: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#fetch-metadata-headers |
| 35 | TrustedOrigins []string |
| 36 | |
| 37 | // AllowSecFetchSiteFunc allows custom behaviour for `Sec-Fetch-Site` requests that are about to |
| 38 | // fail with CSRF error, to be allowed or replaced with custom error. |
| 39 | // This function applies to `Sec-Fetch-Site` values: |
| 40 | // - `same-site` same registrable domain (subdomain and/or different port) |
| 41 | // - `cross-site` request originates from different site |
| 42 | // See [Sec-Fetch-Site]: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#fetch-metadata-headers |
| 43 | AllowSecFetchSiteFunc func(c *echo.Context) (bool, error) |
| 44 | |
| 45 | // TokenLength is the length of the generated token. |
| 46 | TokenLength uint8 |
| 47 | // Optional. Default value 32. |
| 48 | |
| 49 | // TokenLookup is a string in the form of "<source>:<name>" or "<source>:<name>,<source>:<name>" that is used |
| 50 | // to extract token from the request. |
| 51 | // Optional. Default value "header:X-CSRF-Token". |
| 52 | // Possible values: |
| 53 | // - "header:<name>" or "header:<name>:<cut-prefix>" |
| 54 | // - "query:<name>" |
| 55 | // - "form:<name>" |
| 56 | // Multiple sources example: |
| 57 | // - "header:X-CSRF-Token,query:csrf" |
| 58 | TokenLookup string `yaml:"token_lookup"` |
| 59 | |
| 60 | // Generator defines a function to generate token. |
| 61 | // Optional. Defaults tp randomString(TokenLength). |
| 62 | Generator func() string |
| 63 | |
| 64 | // Context key to store generated CSRF token into context. |
| 65 | // Optional. Default value "csrf". |
| 66 | ContextKey string |
| 67 | |
| 68 | // Name of the CSRF cookie. This cookie will store CSRF token. |
| 69 | // Optional. Default value "csrf". |
| 70 | CookieName string |
| 71 | |
| 72 | // Domain of the CSRF cookie. |
| 73 | // Optional. Default value none. |
| 74 | CookieDomain string |
| 75 | |
| 76 | // Path of the CSRF cookie. |
| 77 | // Optional. Default value none. |
| 78 | CookiePath string |
| 79 | |
| 80 | // Max age (in seconds) of the CSRF cookie. |
| 81 | // Optional. Default value 86400 (24hr). |
| 82 | CookieMaxAge int |
| 83 |
nothing calls this directly
no outgoing calls
no test coverage detected