Hi Community, I have an idea to design a CSRF plugin for APISIX, the purpose is to avoid the danger of routing attacks from CSRF.
Taking into account the stateless nature of APISIX, I plan to use Double Submit Cookie to verify CSRF attacks. Simply put, the CSRF plugin sets a cookie to the client in each request, which contains the encrypted csrf token, and the client sets it on the request header in subsequent requests. CSRF plugin compares and verifies the request header with the cookie to prevent CSRF attacks. The CSRF plugin has two configuration items: key and expires. The key requires the user to provide a secret key, and the plugin will generate an encrypted cookie based on HMAC the token with this secret key. The expires refers to the cookie expiration time, this is an option, if the user does not provide, the plugin will provide an appropriate default value. The plugin works at the route level. Users can turn on the plugin on the desired route to avoid CSRF attacks on the route as much as possible. Any ideas or suggestions for these? Best Regards! Yuan Bao<[email protected]>
