feat: add origin check for CSRF protection

.changeset/fair-jars-behave.md

@@ -0,0 +1,26 @@
+---
+"astro": minor
+---
+
+Adds a new security - and experimental - option to prevent CSRF attacks. This feature is available only for on-demand pages:
+
+```js
+import { defineConfig } from "astro/config"
+export default defineConfig({
+  security: {
+    csrfProtection: {
+      origin: true
+    }
+  },
+  experimental: {
+    csrfProtection: true
+  }
+})
+```
+
+When enabled, it checks that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`.
+
+The "origin" check is executed only on-demand pages, and only for the requests `POST, `PATCH`, `DELETE` and `PUT`, only for those requests that
+the followin `content-type` header: 'application/x-www-form-urlencoded', 'multipart/form-data', 'text/plain'.
+
+It the "origin" header doesn't match the pathname of the request, Astro will return a 403 status code and won't render the page.

packages/astro/src/@types/astro.ts

@@ -1610,6 +1610,45 @@ export interface AstroUserConfig {
 	 */
 	legacy?: object;
 
+	/**
+	 * @name security
+	 * @type {object}
+	 * @version 4.6.0
+	 * @type {object}
+	 * @description
+	 *
+	 * It allows to opt-in various security features.
+	 */
+	security?: {
+		/**
+		 * @name security.csrfProtection
+		 * @type {object}
+		 * @default '{}'
+		 * @version 4.6.0
+		 * @description
+		 *
+		 * It enables some security measures to prevent CSRF attacks: https://owasp.org/www-community/attacks/csrf
+		 */
+
+		csrfProtection?: {
+			/**
+			 * @name security.csrfProtection.origin
+			 * @type {boolean}
+			 * @default 'false'
+			 * @version 4.6.0
+			 * @description
+			 *
+			 * When enabled, it checks that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`.
+			 *
+			 * The "origin" check is executed only on-demand pages, and only for the requests `POST, `PATCH`, `DELETE` and `PUT`, only for those requests that
+			 * the followin `content-type` header: 'application/x-www-form-urlencoded', 'multipart/form-data', 'text/plain'.
+			 *
+			 * It the "origin" header doesn't match the pathname of the request, Astro will return a 403 status code and won't render the page.
+			 */
+			origin?: boolean;
+		};
+	};
+
 	/**
 	 * @docs
 	 * @kind heading
@@ -1821,6 +1860,29 @@ export interface AstroUserConfig {
 		 * See the [Internationalization Guide](https://docs.astro.build/en/guides/internationalization/#domains-experimental) for more details, including the limitations of this experimental feature.
 		 */
 		i18nDomains?: boolean;
+
+		/**
+		 * @docs
+		 * @name experimental.csrfProtection
+		 * @type {boolean}
+		 * @default `false`
+		 * @version 4.6.0
+		 * @description
+		 *
+		 * It enables the CSRF protection for Astro websites.
+		 *
+		 * The CSRF protection works only for on-demand pages (SSR) and hybrid pages where prerendering is opted out.
+		 *
+		 * ```js
+		 * // astro.config.mjs
+		 * export default defineConfig({
+		 *   experimental: {
+		 *     csrfProtection: true,
+		 *   },
+		 * })
+		 * ```
+		 */
+		csrfProtection?: boolean;
 	};
 }
 

packages/astro/src/core/app/index.ts

@@ -1,6 +1,7 @@
 import type {
 	ComponentInstance,
 	ManifestData,
+	MiddlewareHandler,
 	RouteData,
 	SSRManifest,
 } from '../../@types/astro.js';
@@ -31,6 +32,7 @@ import { createAssetLink } from '../render/ssr-element.js';
 import { ensure404Route } from '../routing/astro-designed-error-pages.js';
 import { matchRoute } from '../routing/match.js';
 import { AppPipeline } from './pipeline.js';
+import { defineMiddleware, sequence } from '../middleware/index.js';
 export { deserializeManifest } from './common.js';
 
 export interface RenderOptions {
@@ -112,6 +114,13 @@ export class App {
 	 * @private
 	 */
 	#createPipeline(streaming = false) {
+		if (this.#manifest.csrfProtection?.origin === true) {
+			this.#manifest.middleware = sequence(
+				this.#createOriginCheckMiddleware(),
+				this.#manifest.middleware
+			);
+		}
+
 		return AppPipeline.create({
 			logger: this.#logger,
 			manifest: this.#manifest,
@@ -137,6 +146,42 @@ export class App {
 		});
 	}
 
+	/**
+	 * Content types that can be passed when sending a request via a form
+	 *
+	 * https://developer.mozilla.org/en-US/docs/Web/API/HTMLFormElement/enctype
+	 * @private
+	 */
+	#formContentTypes = ['application/x-www-form-urlencoded', 'multipart/form-data', 'text/plain'];
+
+	/**
+	 * Returns a middleware function in charge to check the `origin` header.
+	 *
+	 * @private
+	 */
+	#createOriginCheckMiddleware(): MiddlewareHandler {
+		return defineMiddleware((context, next) => {
+			const { request, url } = context;
+			const contentType = request.headers.get('content-type');
+			if (contentType) {
+				if (this.#formContentTypes.includes(contentType)) {
+					const forbidden =
+						(request.method === 'POST' ||
+							request.method === 'PUT' ||
+							request.method === 'PATCH' ||
+							request.method === 'DELETE') &&
+						request.headers.get('origin') !== url.origin;
+					if (forbidden) {
+						return new Response(`Cross-site ${request.method} form submissions are forbidden`, {
+							status: 403,
+						});
+					}
+				}
+			}
+			return next();
+		});
+	}
+
 	set setManifestData(newManifestData: ManifestData) {
 		this.#manifestData = newManifestData;
 	}

packages/astro/src/core/app/types.ts

@@ -64,6 +64,7 @@ export type SSRManifest = {
 	pageMap?: Map<ComponentPath, ImportComponentInstance>;
 	i18n: SSRManifestI18n | undefined;
 	middleware: MiddlewareHandler;
+	csrfProtection: SSRCsrfProtection | undefined;
 };
 
 export type SSRManifestI18n = {
@@ -74,6 +75,10 @@ export type SSRManifestI18n = {
 	domainLookupTable: Record<string, string>;
 };
 
+export type SSRCsrfProtection = {
+	origin: boolean;
+};
+
 export type SerializedSSRManifest = Omit<
 	SSRManifest,
 	'middleware' | 'routes' | 'assets' | 'componentMetadata' | 'inlinedScripts' | 'clientDirectives'

packages/astro/src/core/build/generate.ts

@@ -615,5 +615,8 @@ function createBuildManifest(
 		i18n: i18nManifest,
 		buildFormat: settings.config.build.format,
 		middleware,
+		csrfProtection: settings.config.experimental.csrfProtection
+			? settings.config.security?.csrfProtection
+			: undefined,
 	};
 }

packages/astro/src/core/build/plugins/plugin-manifest.ts

@@ -276,5 +276,8 @@ function buildManifest(
 		assets: staticFiles.map(prefixAssetPath),
 		i18n: i18nManifest,
 		buildFormat: settings.config.build.format,
+		csrfProtection: settings.config.experimental.csrfProtection
+			? settings.config.security?.csrfProtection
+			: undefined,
 	};
 }

packages/astro/src/core/config/schema.ts

@@ -86,6 +86,7 @@ const ASTRO_CONFIG_DEFAULTS = {
 		clientPrerender: false,
 		globalRoutePriority: false,
 		i18nDomains: false,
+		csrfProtection: false,
 	},
 } satisfies AstroUserConfig & { server: { open: boolean } };
 
@@ -139,6 +140,15 @@ export const AstroConfigSchema = z.object({
 			.array(z.object({ name: z.string(), hooks: z.object({}).passthrough().default({}) }))
 			.default(ASTRO_CONFIG_DEFAULTS.integrations)
 	),
+	security: z
+		.object({
+			csrfProtection: z
+				.object({
+					origin: z.boolean().default(false),
+				})
+				.optional(),
+		})
+		.optional(),
 	build: z
 		.object({
 			format: z
@@ -508,6 +518,10 @@ export const AstroConfigSchema = z.object({
 				.boolean()
 				.optional()
 				.default(ASTRO_CONFIG_DEFAULTS.experimental.globalRoutePriority),
+			csrfProtection: z
+				.boolean()
+				.optional()
+				.default(ASTRO_CONFIG_DEFAULTS.experimental.csrfProtection),
 			i18nDomains: z.boolean().optional().default(ASTRO_CONFIG_DEFAULTS.experimental.i18nDomains),
 		})
 		.strict(

packages/astro/src/vite-plugin-astro-server/plugin.ts

@@ -143,6 +143,9 @@ export function createDevelopmentManifest(settings: AstroSettings): SSRManifest
 		componentMetadata: new Map(),
 		inlinedScripts: new Map(),
 		i18n: i18nManifest,
+		csrfProtection: settings.config.experimental.csrfProtection
+			? settings.config.security?.csrfProtection
+			: undefined,
 		middleware(_, next) {
 			return next();
 		},