Severity: LOW (verification)
stem already has s.csrfManager.CSRFMiddleware(s.mux) (server.go:781) with a documented exempt-list in internal/auth/csrf.go. This issue is a defensive audit, not a fix.
Tasks
- Re-read
isCSRFExemptPath and confirm every exemption is justified.
- Add
scripts/check-csrf-coverage.sh that fails CI if a new POST/PUT/DELETE/PATCH route is added without CSRF coverage (or added to the exempt list).
- Integration test: POST
/api/v1/test/start without X-Csrf-Token returns 403.
Acceptance
- Written justification for each exempt path.
- CI gate prevents accidental new bypasses.
- Test added.
Severity: LOW (verification)
stem already has
s.csrfManager.CSRFMiddleware(s.mux)(server.go:781) with a documented exempt-list ininternal/auth/csrf.go. This issue is a defensive audit, not a fix.Tasks
isCSRFExemptPathand confirm every exemption is justified.scripts/check-csrf-coverage.shthat fails CI if a new POST/PUT/DELETE/PATCH route is added without CSRF coverage (or added to the exempt list)./api/v1/test/startwithoutX-Csrf-Tokenreturns 403.Acceptance