summaryrefslogtreecommitdiff
path: root/internal/handlers/claudomator_proxy.go
AgeCommit message (Collapse)Author
2026-06-03fix: add CSRF and WebSocket origin protection to Claudomator proxyPeter Stone
Token-based CSRF is impractical for a reverse proxy whose UI doesn't know Doot's session tokens, so state-changing requests to /claudomator/* are now validated against the configured WebAuthn origin via Origin/Referer header. WebSocket upgrades reject mismatched or missing Origin headers before hijacking the connection. Both checks are no-ops when WebAuthnOrigin is unset (local dev). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-25feat: gate Claudomator UI behind Doot session auth via reverse proxyDoot Agent
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>