CSRFProtection

microgateway.airlock.com/v1alpha1

CSRFProtection contains the configuration for CSRF.

apiVersion: microgateway.airlock.com/v1alpha1
kind: CSRFProtection
metadata:
  name: csrf-protection-example
spec:
  settings:
    # Explicitly set the 'threatHandlingMode' to 'Block'
    threatHandlingMode: Block
  exceptions:
    # Define a CSRF exception if the request condition matches.
    - requestConditions:
        path:
          matcher:
            regex: ^/member/
            ignoreCase: true
        invert: false
        remoteIP:
          cidrRanges:
            - 192.168.1.0/24
            - 10.0.0.0/16
          invert: false
        method:
          - DELETE

apiVersion: microgateway.airlock.com/v1alpha1
kind: CSRFProtection
metadata:
  name: default
spec: 
  settings: 
    threatHandlingMode: Block

CSRFProtection

Field	Type	Description	Required	Default	Allowed Values
`metadata`	ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`	yes
spec	object	Specification of the desired CSRF behavior.	no

CSRFProtection.spec

Field	Type	Description	Required	Default	Allowed Values
exceptions	object[]	Exceptions defines CSRF exceptions.	no
settings	object	Settings configures the CSRF filter.	no

CSRFProtection.spec.exceptions[]

Field	Type	Description	Required	Default	Allowed Values
requestConditions	object	RequestConditions defines an exception based on request properties (all must match), without taking into consideration the reason why a request has been blocked.	yes

CSRFProtection.spec.exceptions[].requestConditions

Field	Type	Description	Required	Default	Allowed Values
header	object	Header defines the matching headers of a request.	no
`invert`	bool	Invert indicates whether the request condition should be inverted.	no	`false`	`true`, `false`
mediaType	object	MediaType defines the matching media type from the content-type header of a request.	no
`method`	enum[]	Method defines the matching methods of a request.	no		`CONNECT`, `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, `PUT`, `TRACE`
path	object	Path defines the matching path of a request.	no
remoteIP	object	RemoteIP defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.	no

CSRFProtection.spec.exceptions[].requestConditions.header

Field	Type	Description	Required	Default	Allowed Values
name	object	Name defines the name of a header.	no
value	object	Value defines the value of a header.	no

CSRFProtection.spec.exceptions[].requestConditions.header.name

Field	Type	Description	Required	Default	Allowed Values
matcher	object	Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

CSRFProtection.spec.exceptions[].requestConditions.header.name.matcher

Field	Type	Description	Required
`contains`	string	Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`exact`	string	Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	no
`prefix`	string	Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`regex`	string	Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	no
`suffix`	string	Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no

CSRFProtection.spec.exceptions[].requestConditions.header.value

Field	Type	Description	Required	Default	Allowed Values
matcher	object		yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

CSRFProtection.spec.exceptions[].requestConditions.header.value.matcher

Field	Type	Description	Required	Default	Allowed Values
`contains`	string	Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`exact`	string	Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	no
`ignoreCase`	bool	IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	no	`false`	`true`, `false`
`prefix`	string	Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`regex`	string	Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	no
`suffix`	string	Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no

CSRFProtection.spec.exceptions[].requestConditions.mediaType

Field	Type	Description	Required	Default	Allowed Values
matcher	object		yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

CSRFProtection.spec.exceptions[].requestConditions.mediaType.matcher

Field	Type	Description	Required
`contains`	string	Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`exact`	string	Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	no
`prefix`	string	Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`regex`	string	Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	no
`suffix`	string	Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no

CSRFProtection.spec.exceptions[].requestConditions.path

Field	Type	Description	Required	Default	Allowed Values
matcher	object		yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

CSRFProtection.spec.exceptions[].requestConditions.path.matcher

Field	Type	Description	Required	Default	Allowed Values
`contains`	string	Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`exact`	string	Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	no
`ignoreCase`	bool	IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	no	`false`	`true`, `false`
`prefix`	string	Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`regex`	string	Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	no
`suffix`	string	Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no

CSRFProtection.spec.exceptions[].requestConditions.remoteIP

Field	Type	Description	Required	Default	Allowed Values
`cidrRanges`	string[]	CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. `196.148.3.128/26` or `2001:db8::/28`.	yes
`invert`	bool	Invert indicates whether the match should be inverted.	no	`false`	`true`, `false`

CSRFProtection.spec.settings

Field	Type	Description	Required	Default	Allowed Values
`threatHandlingMode`	enum	ThreatHandlingMode specifies how threats should be handled if a CSRF attack is detected.	no	`Block`	`Block`, `LogOnly`