CSRF

This documentation is for the Envoy v3 API.

As of Envoy v1.18 the v2 API has been removed and is no longer supported.

If you are upgrading from v2 API config you may wish to view the v2 API documentation:

This extension may be referenced by the qualified name envoy.filters.http.csrf

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

Cross-Site Request Forgery configuration overview.

extensions.filters.http.csrf.v3.CsrfPolicy

[extensions.filters.http.csrf.v3.CsrfPolicy proto]

CSRF filter config.

{
  "filter_enabled": "{...}",
  "shadow_enabled": "{...}",
  "additional_origins": []
}
filter_enabled

(config.core.v3.RuntimeFractionalPercent, REQUIRED) Specifies the % of requests for which the CSRF filter is enabled.

If runtime_key is specified, Envoy will lookup the runtime key to get the percentage of requests to filter.

Note

This field defaults to 100/HUNDRED.

shadow_enabled

(config.core.v3.RuntimeFractionalPercent) Specifies that CSRF policies will be evaluated and tracked, but not enforced.

This is intended to be used when filter_enabled is off and will be ignored otherwise.

If runtime_key is specified, Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate and track the request’s Origin and Destination to determine if it’s valid, but will not enforce any policies.

additional_origins

(repeated type.matcher.v3.StringMatcher) Specifies additional source origins that will be allowed in addition to the destination origin.

More information on how this can be configured via runtime can be found here.