diff options
| author | Peter Stone <thepeterstone@gmail.com> | 2026-06-03 00:35:02 +0000 |
|---|---|---|
| committer | Peter Stone <thepeterstone@gmail.com> | 2026-06-03 00:35:02 +0000 |
| commit | eb089ef4c9416bd3d5642bb5a4437355ffa2fdd0 (patch) | |
| tree | 8e4fbd833defa346f506c95a80345b3ab0fc379a /internal/handlers/settings.go | |
| parent | 3a9263abd0a5b2b759a8f691f001ff71f5417748 (diff) | |
fix: add CSRF and WebSocket origin protection to Claudomator proxy
Token-based CSRF is impractical for a reverse proxy whose UI doesn't
know Doot's session tokens, so state-changing requests to /claudomator/*
are now validated against the configured WebAuthn origin via Origin/Referer
header. WebSocket upgrades reject mismatched or missing Origin headers
before hijacking the connection. Both checks are no-ops when WebAuthnOrigin
is unset (local dev).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Diffstat (limited to 'internal/handlers/settings.go')
0 files changed, 0 insertions, 0 deletions
