CSRF

Protect your web apps from Cross-Site Request Forgery (CSRF) attacks by configuring origin validation.

About CSRF protection

According to OWASP, CSRF is defined as follows:

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

To help prevent CSRF attacks, you can enable CSRF protection for your gateway or a specific route. For each route that you apply the CSRF policy to, the filter checks to make sure that a request’s origin matches its destination. If the origin and destination do not match, a 403 Forbidden error code is returned.

ℹ️

Note that because CSRF attacks specifically target state-changing requests, the filter only acts on HTTP requests that have a state-changing method such as POST or PUT.

Before you begin

Set up CSRF protection

Configure an AgentgatewayPolicy to enable CSRF protection for your Gateway. This policy validates the Origin header of incoming requests and blocks requests from untrusted origins.

Create an AgentgatewayPolicy with your CSRF configuration.

kubectl apply -f - <<EOF
apiVersion: agentgateway.dev/v1alpha1
kind: AgentgatewayPolicy
metadata:
  name: csrf
  namespace: agentgateway-system
spec:
  # Target the Gateway to apply CSRF protection to all routes
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: agentgateway-proxy
  traffic:
    csrf:
      # Additional origins that are allowed to make requests
      # These are origins beyond the request's own origin that you trust
      additionalOrigins:
      - example.org
      - allowThisOne.example.com
      - "*.subdomain.example.com"
EOF

Field	Description
`csrf`	Enables CSRF protection for the targeted Gateway or routes. When configured, all cross-origin requests are validated.
`additionalOrigins`	List of additional origins that are allowed to make requests to your app beyond the same-origin requests. This is useful for trusted partners, subdomains, or CDNs. Origins can include wildcards for subdomain matching.

Send a request to the httpbin app on the www.example.com domain. Include the malicioussite.com origin that is not allowed in your policy. Verify that the request is denied and that you get back a 403 HTTP response code.

curl -vi -X POST http://$INGRESS_GW_ADDRESS:8080/post \
 -H "host: www.example.com:8080" \
 -H "origin: malicioussite.com"

curl -vi -X POST localhost:8080/post \
 -H "host: www.example.com" \
 -H "origin: malicioussite.com"

Example output:

* Request completely sent off
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
...
< 
CSRF validation failed%

Send another request to the httpbin app. This time, you include the allowThisOne.example.com origin header that is allowed in your policy. Verify that you get back a 200 HTTP response code, because the origin matches the origin that you specified in the AgentgatewayPolicy resource.

curl -vi -X POST http://$INGRESS_GW_ADDRESS:8080/post \
-H "host: www.example.com:8080" \
-H "origin: allowThisOne.example.com"

curl -vi -X POST localhost:8080/post \
-H "host: www.example.com" \
-H "origin: allowThisOne.example.com"

Example output:

HTTP/1.1 200 OK
...
{
  "args": {},
  "headers": {
    "Accept": [
      "*/*"
    ],
    "Host": [
      "www.example.com"
    ],
    "Origin": [
      "allowThisOne.example.com"
    ],
    "User-Agent": [
      "curl/8.7.1"
    ]
  }
...

Clean up

You can remove the resources that you created in this guide.

kubectl delete AgentgatewayPolicy csrf -n agentgateway-system

BYO ext auth service