add csrf filter middleware

[niklasf]

Hi. Many applications need a middleware that filters cross-site requests (to prevent CSRF). Here's an attempt to implement that.

[fafhrd91]

looks pretty good!

I haven't done any browser related services for long time. do people use csrf tokens nowadays?

[niklasf]

Yes, that's definitely an option (and OWASP still recommends using both headers and some kind of tokens). Headers alone are sufficient, though, and supported in browsers for a long time.

[fafhrd91]

I think csrf middleware should support tokens otherwise it's functionality is similar to cors middleware.

[niklasf]

Should I perhaps try to merge this into the CORS middleware (and leave the token approach for future work)?

That would probably involve something like adding CorsBuilder::same_origin() which would be similar to CorsBuilder::allowed_origin() (but not announced in the Acess-Control-Allow-Origin header).

[fafhrd91]

hmm, I see. let's just merge it.

[codecov]

Codecov Report

Merging #89 into master will decrease coverage by 0.06%.
The diff coverage is 68.51%.

@@            Coverage Diff             @@
##           master      #89      +/-   ##
==========================================
- Coverage   78.76%   78.69%   -0.07%     
==========================================
  Files          67       68       +1     
  Lines        8085     8139      +54     
==========================================
+ Hits         6368     6405      +37     
- Misses       1717     1734      +17

Impacted Files	Coverage Δ
src/middleware/mod.rs	0% <ø> (ø)	⬆️
src/middleware/csrf.rs	68.51% <68.51%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bebfc6c...e60acb7. Read the comment docs.

[fafhrd91]

thanks!

[niklasf]

Cool, thanks. I guess it's different enough from the CORS middleware to warrant seperation.

[fafhrd91]

yes, especially if we add tokens later