akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
eb78b64c2f747f07e07b60f3c7abe1a3e7819ddb
caddy-proxy-manager/app/api/auth
History
fuomag9 bdd3019214 security: add same-origin CSRF check to state-changing user API routes 
Adds checkSameOrigin() helper in auth.ts that validates the Origin header
against the Host header. If Origin is present and mismatched, returns 403.
Applied to all 5 custom POST routes flagged in CPM-003 (NEXT-CSRF-001):
  - change-password, link-oauth-start, unlink-oauth, update-avatar, logout

SameSite=Lax (NextAuth default) already blocks standard cross-site CSRF;
this adds defense-in-depth against subdomain and misconfiguration scenarios.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 01:04:18 +01:00
..
[...nextauth]
fix: detect auth failure by response URL not status code to fix rate limiter
2026-02-25 18:38:25 +01:00
link-account
fix: harden security post-review (JWT exposure, rate limiter, token expiry, timing)
2026-02-25 20:58:21 +01:00
logout
security: add same-origin CSRF check to state-changing user API routes
2026-03-05 01:04:18 +01:00