Draft: feat: Switch backend from using custom to Quarkus CSRF (!912) · Merge requests · Eclipse Foundation / Software Development / Websites / membership.eclipse.org

Martin Lowe requested to merge malowe/main/csrf-switchover into main Apr 10, 2026

feat: Switch backend from using custom to Quarkus CSRF

This feature makes use of a header submitted CSRF token that is checked against a cookie value as the source of truth. As the cookie is a HTTPOnly secure token, this should be much less intrusive than our current solution and likely safer in the end.

Currently, this solution assumes that the Slack webhook will be submitting a cookie to the API, as the Quarkus solution is hardcoded to check for the presence of the CSRF cookie, even when checking is disabled.

Admin message

Draft: feat: Switch backend from using custom to Quarkus CSRF

Merge request reports