.. _envoy_api_file_envoy/config/filter/http/csrf/v2/csrf.proto: CSRF ==== .. _extension_envoy.filters.http.csrf: This extension may be referenced by the qualified name *envoy.filters.http.csrf* .. note:: This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted. Cross-Site Request Forgery :ref:`configuration overview `. .. _envoy_api_msg_config.filter.http.csrf.v2.CsrfPolicy: config.filter.http.csrf.v2.CsrfPolicy ------------------------------------- `[config.filter.http.csrf.v2.CsrfPolicy proto] `_ CSRF filter config. .. code-block:: json { "filter_enabled": "{...}", "shadow_enabled": "{...}", "additional_origins": [] } .. _envoy_api_field_config.filter.http.csrf.v2.CsrfPolicy.filter_enabled: filter_enabled (:ref:`core.RuntimeFractionalPercent `, *REQUIRED*) Specifies the % of requests for which the CSRF filter is enabled. If :ref:`runtime_key ` is specified, Envoy will lookup the runtime key to get the percentage of requests to filter. .. note:: This field defaults to 100/:ref:`HUNDRED `. .. _envoy_api_field_config.filter.http.csrf.v2.CsrfPolicy.shadow_enabled: shadow_enabled (:ref:`core.RuntimeFractionalPercent `) Specifies that CSRF policies will be evaluated and tracked, but not enforced. This is intended to be used when ``filter_enabled`` is off and will be ignored otherwise. If :ref:`runtime_key ` is specified, Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate and track the request's *Origin* and *Destination* to determine if it's valid, but will not enforce any policies. .. _envoy_api_field_config.filter.http.csrf.v2.CsrfPolicy.additional_origins: additional_origins (**repeated** :ref:`type.matcher.StringMatcher `) Specifies additional source origins that will be allowed in addition to the destination origin. More information on how this can be configured via runtime can be found :ref:`here `.