Blacklist handlers rather than wrapping all and whitelist some

[peterbe]

I have some handlers that use POST, PUT etc that I do NOT want to be protected by nosurf. These are REST API endpoints that don't need CSRF protection as you can't use them without an Auth-Token header anyway.

I can use nosurf like this:

    n := negroni.Classic()

    handler := nosurf.New(mux)
    handler.ExemptPath("/v1")
    handler.ExemptPath("/v1/bulk")
    handler.ExemptPath("/v1/flush")
    n.UseHandler(handler)
    n.Run(fmt.Sprintf(":%d", port))

But now my poor REST API endpoints get a Vary Cookie and a Set-Cookie too.

Can I use nosurf to protect just individual handler functions and now the whole mux thing?

[justinas]

Might not be the best solution, but you could give each route in your router a separate nosurf instance.

Many routers support adding subrouters, so you could have "api" and "www" sets of routes and protect only one of them.

[peterbe]

Thanks. I'll try that. Do you still think it's worth keeping this issue or is grouping sub-groups of routes the solid solution?

[justinas]

It might not be an ideal solution, but I would not like to introduce much complexity for filtering routes in nosurf itself (separate blacklist/whitelist modes, etc.).