chore(revproxy): add csrf check

csrf cookie-to-header check in the reverse proxy
uc-cdis · Jan 29, 2018 · 7516873 · 7516873
1 parent 79a520f
commit 7516873
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/kube/services/revproxy/00nginx-config.yaml b/kube/services/revproxy/00nginx-config.yaml
@@ -39,8 +39,7 @@ data:
       
       	##
       	# Logging Settings
-      	##
-      
+      	##      
       	access_log /dev/stdout;
       	error_log /dev/stderr;
       
@@ -67,6 +66,21 @@ data:
           if ($cookie_access_token) {
               set $access_token "Bearer $cookie_access_token";
           }
+          
+          #
+          # CSRF check
+          # This block requires a csrftoken for all POST requests.
+          #
+          set $csrf_check "fail";
+          if ($cookie_csrftoken = $http_x_csrf_token) {
+            set $csrf_check "ok-$cookie_csrftoken";
+          }
+          if ($request_method != "POST") {
+            set $csrf_check "ok-$request_method";
+          }
+          if ($csrf_check !~ ^ok-\S.+$) {
+            return 403 "failed csrf check";
+          }
 
           #
           # Note - need to repeat this line in location blocks that call proxy_set_header,