CSRFProtection
microgateway.airlock.com/v1alpha1
CSRFProtection contains the configuration for CSRF.
apiVersion: microgateway.airlock.com/v1alpha1
kind: CSRFProtection
metadata:
name: csrf-protection-example
spec:
settings:
# Explicitly set the 'threatHandlingMode' to 'Block'
threatHandlingMode: Block
exceptions:
# Define a CSRF exception if the request condition matches.
- requestConditions:
path:
matcher:
regex: ^/member/
ignoreCase: true
invert: false
remoteIP:
cidrRanges:
- 192.168.1.0/24
- 10.0.0.0/16
invert: false
method:
- DELETEapiVersion: microgateway.airlock.com/v1alpha1
kind: CSRFProtection
metadata:
name: default
spec:
settings:
threatHandlingMode: BlockCSRFProtection
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
metadata |
ObjectMeta | Refer to Kubernetes API documentation for fields of metadata |
yes | ||
| spec | object | Specification of the desired CSRF behavior. | no |
CSRFProtection.spec
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| exceptions | object[] | Exceptions defines CSRF exceptions. | no | ||
| settings | object | Settings configures the CSRF filter. | no |
CSRFProtection.spec.exceptions[]
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| requestConditions | object | RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. | yes |
CSRFProtection.spec.exceptions[].requestConditions
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| header | object | Header defines the matching headers of a request. | no | ||
invert |
bool | Invert indicates whether the request condition should be inverted. | no | false |
true, false |
| mediaType | object | MediaType defines the matching media type from the content-type header of a request. | no | ||
method |
enum[] | Method defines the matching methods of a request. | no | CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE |
|
| path | object | Path defines the matching path of a request. | no | ||
| remoteIP | object | RemoteIP defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the remoteIP configuration in the SidecarGateway / GatewayParameters resource to ensure correct client IP detection. |
no |
CSRFProtection.spec.exceptions[].requestConditions.header
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | object | Name defines the name of a header. | no | ||
| value | object | Value defines the value of a header. | no |
CSRFProtection.spec.exceptions[].requestConditions.header.name
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
CSRFProtection.spec.exceptions[].requestConditions.header.name.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
CSRFProtection.spec.exceptions[].requestConditions.header.value
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
CSRFProtection.spec.exceptions[].requestConditions.header.value.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
CSRFProtection.spec.exceptions[].requestConditions.mediaType
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
CSRFProtection.spec.exceptions[].requestConditions.mediaType.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
CSRFProtection.spec.exceptions[].requestConditions.path
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
CSRFProtection.spec.exceptions[].requestConditions.path.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
CSRFProtection.spec.exceptions[].requestConditions.remoteIP
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
cidrRanges |
string[] | CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. |
yes | ||
invert |
bool | Invert indicates whether the match should be inverted. | no | false |
true, false |
CSRFProtection.spec.settings
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
threatHandlingMode |
enum | ThreatHandlingMode specifies how threats should be handled if a CSRF attack is detected. | no | Block |
Block, LogOnly |