Skip to content

docs(security): CSRF/CSWSH coverage audit + per-adapter guidance (A4, #21)#36

Merged
fsecada01 merged 1 commit into
masterfrom
docs/a4-csrf-audit
Jul 1, 2026
Merged

docs(security): CSRF/CSWSH coverage audit + per-adapter guidance (A4, #21)#36
fsecada01 merged 1 commit into
masterfrom
docs/a4-csrf-audit

Conversation

@fsecada01

Copy link
Copy Markdown
Owner

Summary

Completes the A4 CSRF audit deliverable from Epic A (#21) as a docs-only change:

  • docs/SECURITY_CSRF.md (new) — canonical CSRF & Cross-Site WebSocket Hijacking guide: threat model (ambient-credential framing, form-encoded body vector), per-adapter coverage table (Django enforces via CsrfViewMiddleware; FastAPI/Litestar/Flask have zero enforcement), CSWSH exposure of all four WS handlers, documentation reality-check, and a prioritized list of follow-up work (issues to be opened separately).
  • CLAUDE.md — reworded the aspirational "CSRF protection required for mutations" bullet to reflect reality: enforced automatically only on the Django adapter; other adapters require host-level integration, pointing at the new doc.
  • README.md — added a docs-table row linking the new guide.

No code changes; no behavior changes.

Test plan

  • Docs-only change — no code paths affected
  • Verified relative link docs/SECURITY_CSRF.md resolves from README/CLAUDE.md at repo root
  • Markdown table renders correctly (per-adapter coverage table)

Refs #21 (A4 audit deliverable — audit report landed as documentation; follow-up issues from §5 to be opened separately).

🤖 Generated with Claude Code

https://claude.ai/code/session_01JpsdVdokfe732D9aQKTXXQ

@fsecada01 fsecada01 self-assigned this Jul 1, 2026
@fsecada01 fsecada01 added documentation Improvements or additions to documentation security Security-relevant work tier:table-stakes Required for production-grade priority:2-high High priority labels Jul 1, 2026
@fsecada01 fsecada01 merged commit 99d8a00 into master Jul 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation priority:2-high High priority security Security-relevant work tier:table-stakes Required for production-grade

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant