{"id":14955936,"url":"https://github.com/moneytree/rack-corsgate","last_synced_at":"2025-11-11T18:23:21.910Z","repository":{"id":53521622,"uuid":"148740261","full_name":"moneytree/rack-corsgate","owner":"moneytree","description":"Modern CORS-based CSRF-protection for Rack apps","archived":false,"fork":false,"pushed_at":"2023-07-18T02:32:11.000Z","size":22,"stargazers_count":1,"open_issues_count":9,"forks_count":2,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-10-29T14:18:03.591Z","etag":null,"topics":["csrf","rack","rails","ruby"],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/moneytree.png","metadata":{"files":{"readme":"ReadMe.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-14T05:33:14.000Z","updated_at":"2024-08-18T01:53:07.000Z","dependencies_parsed_at":"2024-09-02T15:33:05.562Z","dependency_job_id":"a269e925-5881-47e2-8e66-df3b7ef8478c","html_url":"https://github.com/moneytree/rack-corsgate","commit_stats":{"total_commits":6,"total_committers":3,"mean_commits":2.0,"dds":"0.33333333333333337","last_synced_commit":"e7940f569dcd9c875eee019f919584d057426080"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moneytree%2Frack-corsgate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moneytree%2Frack-corsgate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moneytree%2Frack-corsgate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moneytree%2Frack-corsgate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/moneytree","download_url":"https://codeload.github.com/moneytree/rack-corsgate/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237944038,"owners_count":19391588,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csrf","rack","rails","ruby"],"created_at":"2024-09-24T13:12:02.816Z","updated_at":"2025-10-24T09:30:23.352Z","avatar_url":"https://github.com/moneytree.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Rack CorsGate middleware\n\nInspired by [CorsGate](https://github.com/mixmaxhq/cors-gate) as introduced by Mixmax, this Gem implements the same\nCSRF-protection for Rack. In short, we use `Rack::Cors` to configure whether or not requests are allowed to occur, and\nwe enforce them via this middleware. Requests that are potential threats are blocked with a `403` response. Please read\n[Using CORS policies to implement CSRF protection](https://mixmax.com/blog/modern-csrf) for the philosophy behind this\nmiddleware.\n\n## Installation\n\nInstall the gem:\n\n`gem install rack-corsgate`\n\nOr in your Gemfile:\n\n```ruby\ngem 'rack-corsgate'\n```\n\n**Dependencies**\n\nYour application must have `Rack::Cors` available. See: [Rack CORS Middleware](https://github.com/cyu/rack-cors)\n\nFollow the configuration requirements given in its readme.\n\n## Configuration\n\nCorsGate is actually two middleware functions:\n \n- The `CorsGateOriginProcessor` middleware checks if we have an origin header. If we don't, it will try to determine the\n  origin based on the `Referer` header. This middleware should be triggered *before* `Rack::Cors`.\n- The `CorsGate` middleware enforces the result of the CORS test on the request, by actively blocking requests that are\n  potential CSRF-attacks. This middleware should be triggered *after* `Rack::Cors`.\n\nThe easiest way to sandwich Rack::Cors with these two middlewares is as follows:\n\n```ruby\n# Rack::CorsGate.use middleware, opts = {}, \u0026forbidden_handler\nRack::CorsGate.use config.middleware\n```\n\nThis is essentially a shortcut for the following:\n\n```ruby\nconfig.middleware.insert_before Rack::Cors, Rack::CorsGateOriginProcessor\nconfig.middleware.insert_after Rack::Cors, Rack::CorsGate\n```\n\nThe options hash passed to `Rack::CorsGate.use` is passed on to both middlewares. The block applies to `Rack::CorsGate`\nonly (see API below).\n\n**API**\n\n```ruby\nconfig.middleware.insert_before Rack::Cors, Rack::CorsGateOriginProcessor, { remove_null_origin: false }\n```\n\n*Options:*\n\n- `remove_null_origin` (boolean, default: false): Treats `null` (string) origin headers as if no origin header was set.\n\n```ruby\nconfig.middleware.insert_after Rack::Cors, Rack::CorsGate, { simulation: false, strict: false, allow_safe: true } do |env, origin, method|\n  # env: https://www.rubydoc.info/github/rack/rack/master/file/SPEC#label-The+Environment\n\n  Rails.logger.warn(\"Blocked #{method} request from origin #{origin} to #{env['PATH_INFO']}\")\nend\n```\n\n*Options:*\n\n- `simulation` (boolean, default: false): Allows potential attacks to be carried out as if the middleware wasn't there.\n  This can be useful during implementation trials and tests (see also the block signature below).\n- `strict` (boolean, default: false): If true, requires an origin to be present on all requests. Note that a Referer\n  header will stand in for a missing Origin header if the CorsGateOriginProcessor is used.\n- `allow_safe` (boolean, default: false): If true, allows `GET` and `HEAD` requests through, even if the origin is not\n  allowed by CORS, or if the Origin header is missing.\n\nBlock `|env, origin, method|`:\n\nThis optional block gets invoked whenever a request is about to be rejected (even in simulation mode).\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoneytree%2Frack-corsgate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmoneytree%2Frack-corsgate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoneytree%2Frack-corsgate/lists"}