simple csrf protection

assets/javascripts/api.js

@@ -2,9 +2,12 @@
 
 (function() {
   var api = function(method, endpoint, data) {
+    var headers = {'Content-Type': 'application/json'}
+    if (['get', 'post', 'put'].indexOf(method) !== -1)
+      headers['x-requested-by'] = 'yarr'
     return fetch(endpoint, {
       method: method,
-      headers: {'Content-Type': 'application/json'},
+      headers: headers,
       body: JSON.stringify(data),
     })
   }
@@ -12,7 +15,7 @@
   var json = function(res) {
     return res.json()
   }
-  
+
   var param = function(query) {
     if (!query) return ''
     return '?' + Object.keys(query).map(function(key) {

server/server.go

@@ -43,6 +43,10 @@ func (h *Handler) Start() {
 	}
 }
 
+func unsafeMethod(method string) bool {
+	return method == "POST" || method == "PUT" || method == "DELETE"
+}
+
 func (h Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	route, vars := getRoute(req)
 	if route == nil {
@@ -51,6 +55,10 @@ func (h Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 
 	if h.requiresAuth() && !route.manualAuth {
+		if unsafeMethod(req.Method) && req.Header.Get("X-Requested-By") != "yarr" {
+			rw.WriteHeader(http.StatusUnauthorized)
+			return
+		}
 		if !userIsAuthenticated(req, h.Username, h.Password) {
 			rw.WriteHeader(http.StatusUnauthorized)
 			return