Skip to content

[SECURITY] Audit CSRF exempt-list + add CI grep gate #341

Description

@krisarmstrong

Severity: LOW (verification)

stem already has s.csrfManager.CSRFMiddleware(s.mux) (server.go:781) with a documented exempt-list in internal/auth/csrf.go. This issue is a defensive audit, not a fix.

Tasks

  1. Re-read isCSRFExemptPath and confirm every exemption is justified.
  2. Add scripts/check-csrf-coverage.sh that fails CI if a new POST/PUT/DELETE/PATCH route is added without CSRF coverage (or added to the exempt list).
  3. Integration test: POST /api/v1/test/start without X-Csrf-Token returns 403.

Acceptance

  • Written justification for each exempt path.
  • CI gate prevents accidental new bypasses.
  • Test added.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions