janpeter/Ops-dashboard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Ops-dashboard/middleware.ts
Scrum4Me Agent aa1fd41bec feat(security): rate-limit /api/flows/start, CSRF double-submit cookie, CSP headers 
- Rate-limit /api/flows/start to 10 req/min per user (in-memory, matches login pattern)
- Add middleware.ts: validates x-csrf-token header against csrf_token cookie on all
  API POST requests; issues the cookie on GET if missing; sets CSP, X-Frame-Options,
  X-Content-Type-Options, and Referrer-Policy on all responses
- Add lib/csrf.ts: client-side apiFetch() wrapper that injects the CSRF header
- Update all client components (login, useFlowRun, docker, caddy, git, systemd)
  to use apiFetch() for POST requests
- Cookie config in login route already correct (NODE_ENV check, httpOnly, sameSite=strict)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 20:01:43 +02:00

55 lines
1.7 KiB
TypeScript
Raw Blame History

import { NextRequest, NextResponse } from 'next/server'
const CSP = [
"default-src 'self'",
"script-src 'self' 'unsafe-inline'",
"style-src 'self' 'unsafe-inline'",
"font-src 'self'",
"img-src 'self' data:",
"connect-src 'self'",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
].join('; ')
const CSRF_COOKIE = 'csrf_token'
const CSRF_HEADER = 'x-csrf-token'
export function middleware(request: NextRequest) {
const { method, nextUrl } = request
// Validate CSRF token on all POST requests to API routes
if (method === 'POST' && nextUrl.pathname.startsWith('/api/')) {
const cookieToken = request.cookies.get(CSRF_COOKIE)?.value
const headerToken = request.headers.get(CSRF_HEADER)
if (!cookieToken || cookieToken !== headerToken) {
return new NextResponse(
JSON.stringify({ error: 'CSRF validation failed' }),
{ status: 403, headers: { 'Content-Type': 'application/json' } },
)
}
}
const response = NextResponse.next()
response.headers.set('Content-Security-Policy', CSP)
response.headers.set('X-Frame-Options', 'DENY')
response.headers.set('X-Content-Type-Options', 'nosniff')
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
// Issue a CSRF token cookie on GET requests when not yet present
if (method === 'GET' && !request.cookies.get(CSRF_COOKIE)) {
response.cookies.set(CSRF_COOKIE, crypto.randomUUID(), {
httpOnly: false, // must be readable by client JS for the double-submit pattern
sameSite: 'strict',
secure: process.env.NODE_ENV === 'production',
path: '/',
})
}
return response
}
export const config = {
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
}
Reference in a new issue View git blame Copy permalink