feat: Implement (but not enforce) CSRF for FE requests (#3786)

Future work is to enforce CSRF Co-authored-by: Presley Pizzo <presley@coder.com>
2025-07-15 22:20:27 +00:00 · 2022-09-13 15:26:46 -04:00
parent 9ab437d6e2
commit 9b5ee8f267
22 changed files with 211 additions and 115 deletions
--- a/coderd/httpmw/templateversionparam_test.go
+++ b/coderd/httpmw/templateversionparam_test.go
@ -29,10 +29,7 @@ func TestTemplateVersionParam(t *testing.T) {
 			hashed     = sha256.Sum256([]byte(secret))
 		)
 		r := httptest.NewRequest("GET", "/", nil)
-		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenKey,
-			Value: fmt.Sprintf("%s-%s", id, secret),
-		})
+		r.Header.Set(codersdk.SessionCustomHeader, fmt.Sprintf("%s-%s", id, secret))

 		userID := uuid.New()
 		username, err := cryptorand.String(8)