OeditusCredo.Check.Security.MissingCSRFProtection (OeditusCredo v0.6.0)

View Source

Basics

This check is disabled by default.

Learn how to enable it via .credo.exs.

This check has a base priority of high and works with any version of Elixir.

Explanation

Detects potential missing or disabled CSRF protection (CWE-352).

This check covers both:

  1. Web/API pipelines handling state-changing routes without CSRF protection.
  2. Explicit CSRF removal or bypass patterns.

Bad:

pipeline :api do
  plug :accepts, ["json"]
end

Plug.Conn.delete_csrf_token(conn)

Good:

pipeline :browser do
  plug :protect_from_forgery
end

Check-Specific Parameters

Use the following parameters to configure this check:

:exclude_test_files

Set to true to skip test files (default: false)

This parameter defaults to nil.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.