.. _envoy_v3_api_file_envoy/extensions/filters/http/csrf/v3/csrf.proto: CSRF (proto) ============ .. _extension_envoy.filters.http.csrf: This extension has the qualified name ``envoy.filters.http.csrf`` .. note:: This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted. .. tip:: This extension extends and can be used with the following extension category: - :ref:`envoy.filters.http ` This extension must be configured with one of the following type URLs: - :ref:`type.googleapis.com/envoy.extensions.filters.http.csrf.v3.CsrfPolicy ` Cross-Site Request Forgery :ref:`configuration overview `. .. _envoy_v3_api_msg_extensions.filters.http.csrf.v3.CsrfPolicy: extensions.filters.http.csrf.v3.CsrfPolicy ------------------------------------------ :repo:`[extensions.filters.http.csrf.v3.CsrfPolicy proto] ` CSRF filter config. .. code-block:: json :force: { "filter_enabled": {...}, "shadow_enabled": {...}, "additional_origins": [] } .. _envoy_v3_api_field_extensions.filters.http.csrf.v3.CsrfPolicy.filter_enabled: filter_enabled (:ref:`config.core.v3.RuntimeFractionalPercent `, *REQUIRED*) Specifies the % of requests for which the CSRF filter is enabled. If :ref:`runtime_key ` is specified, Envoy will lookup the runtime key to get the percentage of requests to filter. .. note:: This field defaults to 100/:ref:`HUNDRED `. .. _envoy_v3_api_field_extensions.filters.http.csrf.v3.CsrfPolicy.shadow_enabled: shadow_enabled (:ref:`config.core.v3.RuntimeFractionalPercent `) Specifies that CSRF policies will be evaluated and tracked, but not enforced. This is intended to be used when ``filter_enabled`` is off and will be ignored otherwise. If :ref:`runtime_key ` is specified, Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate and track the request's ``Origin`` and ``Destination`` to determine if it's valid, but will not enforce any policies. .. _envoy_v3_api_field_extensions.filters.http.csrf.v3.CsrfPolicy.additional_origins: additional_origins (**repeated** :ref:`type.matcher.v3.StringMatcher `) Specifies additional source origins that will be allowed in addition to the destination origin. More information on how this can be configured via runtime can be found :ref:`here `.