Check and report on Sec-Fetch-Site header for forgery protection

This is a great, solid alternative to CSRF tokens for CSRF protection
when we aren't worried about older browsers or other kind of actors
doing modifying requests in our app, and could be a good test for future
upstreaming to Rails (although there we'd need to continue using CSRF
tokens or at least letting people opt out manually).

Let's start checking the header and reporting on it when CSRF fails or
when it doesn't match the other checks Rails does, and then promote this
to be the only way to defend from CSRF.
This commit is contained in:
Rosa Gutierrez
2025-11-19 22:26:17 +01:00
committed by Rosa Gutierrez
parent 51860d6c66
commit d88949288c
3 changed files with 203 additions and 0 deletions
@@ -2,6 +2,7 @@ class ApplicationController < ActionController::Base
include Authentication
include Authorization
include CurrentRequest, CurrentTimezone, SetPlatform
include RequestForgeryProtection
include TurboFlash, ViewTransitions
include Saas
include RoutingHeaders