add CSRF checking

author: Brian Picciano <mediocregopher@gmail.com> 2021-08-29 22:15:58 -0600
committer: Brian Picciano <mediocregopher@gmail.com> 2021-08-29 22:15:58 -0600
commit: 15ae483fadbd136acefcd602b2f2ac5a83165c73 (patch)
tree: 0f25ed1dd81e4fffeed6055dd02da48a567c8fb2 /srv/api/api.go
parent: 5746a510fc569fd464e46b646d4979a976ad769b (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/srv/api/api.go b/srv/api/api.go
index 39d73d9..bbb677a 100644
--- a/srv/api/api.go
+++ b/srv/api/api.go
@@ -142,6 +142,8 @@ func (a *api) handler() http.Handler {
 		staticHandler = httputil.NewSingleHostReverseProxy(a.params.StaticProxy)
 	}
 
+	staticHandler = setCSRFMiddleware(staticHandler)
+
 	// sugar
 	requirePow := func(h http.Handler) http.Handler {
 		return a.requirePowMiddleware(h)
@@ -163,7 +165,9 @@ func (a *api) handler() http.Handler {
 	apiMux.Handle("/mailinglist/finalize", a.mailingListFinalizeHandler())
 	apiMux.Handle("/mailinglist/unsubscribe", a.mailingListUnsubscribeHandler())
 
-	apiHandler := logMiddleware(a.params.Logger, apiMux)
+	var apiHandler http.Handler = apiMux
+	apiHandler = checkCSRFMiddleware(apiHandler)
+	apiHandler = logMiddleware(a.params.Logger, apiHandler)
 	apiHandler = annotateMiddleware(apiHandler)
 	apiHandler = addResponseHeaders(map[string]string{
 		"Cache-Control": "no-store, max-age=0",
author	Brian Picciano <mediocregopher@gmail.com>	2021-08-29 22:15:58 -0600
committer	Brian Picciano <mediocregopher@gmail.com>	2021-08-29 22:15:58 -0600
commit	15ae483fadbd136acefcd602b2f2ac5a83165c73 (patch)
tree	0f25ed1dd81e4fffeed6055dd02da48a567c8fb2 /srv/api/api.go
parent	5746a510fc569fd464e46b646d4979a976ad769b (diff)