📝 [Proposal]: Offer simpler CSRF middleware as in Go's http.CrossOriginProtection

[JonasDoe]

Feature Proposal Description

In Go, there's now a low-effort, rather performant CSRF protection available, with a comprehensive explanation. Of course it doesn't cover all edge cases the token/session approach in fiber does, but I wonder whether it might make sense to at least provide an option to just mirror the default http's protection as a "cheap" alternative to the current dual-roundtrip approach.

Alignment with Express API

We're just talking about a vendored middleware here (or maybe only the modification of one), so there should be no conflict with the API at all. That said, there is no CSRF protection middleware with a similar logic in express yet.

HTTP RFC Standards Compliance

By default, the http.CrossOriginProtection assumes that GET, HEAD, and OPTIONS won't trigger a modification - as fiber's CRSF middleware does, too. But this doesn't conflict with the HTTP RFC, where those are considered "safe" methods. Additionally, it relies on certain header entries (Sec-Fetch-Site or, if absent, Origin), which are both not specified in the HTTP RFC, but still can be considered as standards (#1, #2).

API Stability

Honestly, I'm relying here a bit on the authority of the Go developers. Since API stability and downwards compatibility is a main focus of the Go development, I'ld consider the approach rather safe against fundamental changes. The fiber middleware adjustments should keep close to it. The biggest question is probably whether to support InsecureBypassPatterns in the way http variant does, b/c the form of [METHOD ][HOST]/[PATH] is uncommon for fiber.

Feature Examples

Since this approach doesn't really pose a conflict with the existing CSRF middleware, it could be integrated as an additional option:

app.Use(csrf.New(csrf.Config{
    CrossOriginProtection: CrossOriginProtectionOpts{TrustedOrigins: []string{"http://localhost:8080}, InsecureBypassPatterns: []InsecureBypassPattern{{Method: []string{fiber.MethodPost}, Pattern: "example.com/"}},
    ...
}))

Checklist:

• I agree to follow Fiber's Code of Conduct.
• I have searched for existing issues that describe my proposal before opening this one.
• I understand that a proposal that does not meet these guidelines may be closed without explanation.

[gaby]

@JonasDoe I'm not following, what exactly is the proposal here?

[JonasDoe]

@gaby The proposal is to add a new option to https://docs.gofiber.io/api/middleware/csrf, allowing to chose for a low-effort CSRF protection which might be a good alternative to the existing protection mechanism for many use cases.

[gaby]

I will work on this for Fiber v3.