CSRFProtection
microgateway.airlock.com/v1alpha1
CSRFProtection defines a policy for protecting against Cross-Site Request Forgery attacks.
If CSRF protection is configured, by default all requests using non-safe HTTP methods (e.g., POST, PUT, DELETE) will be blocked unless their origin matches the host.
To explicitly allow certain cross-site requests, exceptions may be defined.
apiVersion: microgateway.airlock.com/v1alpha1
kind: CSRFProtection
metadata:
name: csrf-protection-example
spec:
settings:
# Explicitly set the 'threatHandlingMode' to 'Block'
threatHandlingMode: Block
exceptions:
# Define a CSRF exception if the request condition matches.
- requestConditions:
path:
matcher:
regex: ^/member/
ignoreCase: true
invert: false
remoteIP:
cidrRanges:
- 192.168.1.0/24
- 10.0.0.0/16
invert: false
method:
- DELETEapiVersion: microgateway.airlock.com/v1alpha1
kind: CSRFProtection
metadata:
name: default
spec:
settings:
threatHandlingMode: BlockCSRFProtection
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired CSRF protection configuration. | object | no |
CSRFProtection.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| exceptions | defines CSRF exceptions. | object[] | no | ||
| settings | configures the CSRF filter. | object | no |
CSRFProtection.spec.exceptions[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| requestConditions | defines an exception based on request properties (all must match), without taking into consideration the reason why a request has been blocked. | object | yes |
CSRFProtection.spec.exceptions[].requestConditions
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| header | defines the matching headers of a request. | object | no | ||
| invert | indicates whether the request condition should be inverted. | bool | no | false |
true, false |
| mediaType | defines the matching media type from the content-type header of a request. | object | no | ||
| method | defines the matching methods of a request. | enum[] | no | CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE |
|
| path | defines the matching path of a request. | object | no | ||
| remoteIP | defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the remoteIP configuration in the SidecarGateway / GatewayParameters resource to ensure correct client IP detection. |
object | no |
CSRFProtection.spec.exceptions[].requestConditions.header
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | defines the name of a header. | object | no | ||
| value | defines the value of a header. | object | no |
CSRFProtection.spec.exceptions[].requestConditions.header.name
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
CSRFProtection.spec.exceptions[].requestConditions.header.name.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
CSRFProtection.spec.exceptions[].requestConditions.header.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
CSRFProtection.spec.exceptions[].requestConditions.header.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
CSRFProtection.spec.exceptions[].requestConditions.mediaType
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
CSRFProtection.spec.exceptions[].requestConditions.mediaType.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
CSRFProtection.spec.exceptions[].requestConditions.path
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
CSRFProtection.spec.exceptions[].requestConditions.path.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
CSRFProtection.spec.exceptions[].requestConditions.remoteIP
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| cidrRanges | defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. |
string[] | yes | ||
| invert | indicates whether the match should be inverted. | bool | no | false |
true, false |
CSRFProtection.spec.settings
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| threatHandlingMode | specifies how threats should be handled if a CSRF attack is detected. | enum | no | Block |
Block, LogOnly |