Replies: 2 comments 2 replies
-
|
It sounds interesting. My personal suggestion is to try to making it in a separate library, and test it out some. We could consider adding it after that, but it would help iteration without needing much from the limited time our maintainers have to pay attention to tower-http. |
Beta Was this translation helpful? Give feedback.
-
|
Makes sense. I still wanted to push since I agree with the author that such an inclusion makes a lot of sense for a standard library. If there is no bandwidth the default would be another crate but that might suffer from the usual visibility issues. |
Beta Was this translation helpful? Give feedback.
-
|
It could make sense to add after experimentation, for sure. :) |
Beta Was this translation helpful? Give feedback.
-
|
Only had some time today to commit a PoC here: https://github.com/yawn/tower-csrf There is some test coverage but still a few items to consider, currently
If you have 5m @seanmonstar, have a look please. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Replacement for the discussion in axum.
In a recent blogpost @FiloSottile discussed background research that went into a feature of the Go standard library: a modern CSRF protection middleware.
tower-http can be considered as one of the equivalents of (the server part) of
net/httpand might want to consider porting this feature. This boils down to (quoting from the blog):same-originornone, allow the request, otherwise rejectSeems simple enough to implement. Giving the thoroughness of the background research and subsequent inclusion of the solution into the Go standard this seems like a worthy addition to tower-http.
Beta Was this translation helpful? Give feedback.
All reactions