security browser web csrf csrf-protection

does limiting the host in my mux prevent CSRF attacks?

If I have my mux router limited to accept requests only from my domain, then will that prevent a CSRF attack?

For example in my golang server I have all requests go through my baseRouter:

baseRouter := mux.NewRouter().Host(`{sub:.*}.myDomain.com`).Subrouter()

So wouldn't this mean that if a user was on another site some.attacker.net that posted a request off to my server, then it would simply get a 404 returned for every request because my server won't process any requests from other domains, thus preventing a CSRF attack, or am I basing this on some misconception?

Solution

No, because when attacker.example.com POSTs to mysite.example.org the host header will be set to mysite.example.org.

Gorilla has a package to enable you to protect against Cross Site Request Forgery.

Customize android app preview when it is in background with secure flag
Can a client-side login be safe?
How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket
How to validate if a URL is an Okta domain?
How to make Google Analytics respond to "Do Not Track"
My Vercel API tokens leaked on GitHub. How do I regenerate them?
Implementing Custom Expression Handling with Spring Security 6
What are the security concerns for JSF?
App attestation failed with Firebase App check in release on Android
SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application
When should I use the deny access functions in Symfony 4.4 controllers?
Install two traefik ingress controller on same kubernetes Cluster
Logon events from within credential provider
How to give access to my API for a mobile app?
How to verify a JWKS's integrity and authenticity
Changes in the front-end (Vue.js) part of the PatrolHears project (open source code)
ECPrivateKey to ECPublicKey without BouncyCastle
What TargetName to use when calling InitializeSecurityContext (Negotiate)?
java.security.NoSuchAlgorithmException:Cannot find any provider supporting AES/ECB/PKCS7PADDING
Which procedure is more secure for encryption using Password and Seed
Source security group isn't working as expected in AWS
Google Authenticator available as a public service?
Where do you store your salt strings?
Can other software programs deny access to data sealed in a PCR of a TPM by extending measurements to that PCR?
How do I skip certains rules for parameter in a path in ModSecurity?
Facebook image URLs - how are they kept from un-authorised users?
How to serve attachments privately using Rails?
java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER]
<app> would like to access data from other apps - macOS Sonoma