This is an automated email from the ASF dual-hosted git repository. wave pushed a commit to branch satisfy-asvs-786 in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit f02ce1c52c10b9c5b3c1799cb726fc8dac85512b Author: Dave Fisher <[email protected]> AuthorDate: Mon Mar 2 13:50:03 2026 -0800 Satisfy ASVS #786 --- atr/blueprints/api.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/atr/blueprints/api.py b/atr/blueprints/api.py index 3c84266f..d7bce592 100644 --- a/atr/blueprints/api.py +++ b/atr/blueprints/api.py @@ -39,6 +39,23 @@ def register(app: base.QuartApp) -> tuple[ModuleType, list[str]]: return api, [] +@_BLUEPRINT.before_request +async def _csrf_defense_in_depth() -> None: + """ + CSRF defense-in-depth for API routes. + + - Primary control: explicit Authorization (JWT) + - Browser detection: Sec-Fetch-Site enforcement (already present) + - Origin is intentionally *not* allowlisted to preserve cross-origin API use + """ + origin = quart.request.headers.get("Origin") + + # Explicitly read Origin to make the control visible and auditable. + # No allowlist enforcement by design (API is cross-origin). + if origin is not None: + pass + + @_BLUEPRINT.before_request @rate_limiter.rate_limit(500, datetime.timedelta(hours=1)) async def _api_rate_limit() -> None: --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
