Cross Site Request Forgery in Chi with Firestore

Cross Site Request Forgery (CSRF) in a Chi application that uses Firestore can occur when an authenticated Firestore client performs state-changing requests triggered by a malicious third-party site. Chi is a small, functional web framework for Clojure, and while it does not enforce CSRF protections by default, Firestore security rules typically rely on authentication rather than per-request anti-CSRF tokens. This mismatch can expose endpoints that perform writes, updates, or deletions to Firestore when an attacker诱导s a logged-in user’s browser to make unintended requests.

Consider a scenario where a Chi handler deletes a document from a user’s collection based solely on a path parameter without verifying intent. If the handler relies on session cookies or an access token automatically included by the browser, an attacker can craft a form on another site that submits to this handler. Because Firestore authentication is typically managed client-side or via a session cookie, the request appears legitimate to the backend, and Firestore rules may permit the operation based on user identity rather than explicit CSRF checks.

For example, a route defined in Chi like /delete-item that expects a document ID and uses an authenticated Firestore client can be vulnerable if it does not validate the request origin or require a synchronized token. Even with Firestore rules that scope writes to the authenticated user, the absence of CSRF mitigation allows an attacker to execute actions on behalf of the victim. This is particularly relevant when the application serves both a browser interface and an API surface, increasing the attack surface.

Real-world patterns such as OWASP API Top 10 A05:2023 — Broken Function Level Authorization — intersect with CSRF when authorization is enforced at the application layer but not paired with anti-CSRF mechanisms. Firestore rules may correctly identify the user, but they cannot distinguish between a legitimate user-initiated request and a forged one caused by CSRF. Therefore, developers must implement synchronizer token patterns or same-site cookie attributes in Chi to ensure that each state-changing Firestore operation is intentional.

To protect Chi endpoints that interact with Firestore, implement CSRF tokens and enforce strict origin checks. For state-changing operations, generate a per-session token on the server, store it in the session, and require it in forms or headers submitted from the client. This prevents attackers from forging requests even if cookies are automatically sent.

Below is a concrete example of a Chi handler that integrates CSRF protection when deleting a Firestore document. It uses an anti-CSRF token stored in the session and verified before performing any write operation.

(ns myapp.handlers
  (:require [compojure.core :refer [defroutes POST DELETE GET]]
            [ring.util.response :as resp]
            [noir.session :as session]
            [clojure.string :as str]
            [firebase-admin.firestore :as fs]))

(defn generate-csrf-token []
  (str/replace (java.util.UUID/randomUUID) "-" ""))

(defn verify-csrf-token [request]
  (let [token (get-in request [:session :csrf-token])
        header-token (get-in request [:headers "x-csrf-token"])]
    (= token header-token)))

(defroutes api-routes
  (POST "/delete-item" [request]
    (if-not (verify-csrf-token request)
      (resp/response "Invalid CSRF token")
      (let [doc-id (get-in request [:params :id])
            db (fs/get-firestore)]
        (fs/delete-document db (str "users/" (session/get :user-id) "/items/" doc-id))
        (resp/ok "Item deleted"))))

  (GET "/form-page" [request]
    (let [csrf-token (or (get-in request [:session :csrf-token]) (generate-csrf-token))]
      (session/put! :csrf-token csrf-token)
      (resp/html-response
        (str "<form method='POST' action='/delete-item?id=123'>"
             "<input type='hidden' name='csrf-token' value='" csrf-token "'>"
             "<button type='submit'>Delete</button>"
             "</form>"))))

On the client side, ensure that forms include the CSRF token as a hidden field and that AJAX requests include the token in a custom header such as x-csrf-token. Complement this with same-site cookie attributes for session cookies to reduce the risk of cross-origin requests carrying credentials:

(defroutes app-routes
  (route/resources "/")
  (route/not-found "Not Found"))

(defn wrap-csrf-cookies [handler]
  (fn [request]
    (let [response (handler request)]
      (update-in response [:cookies "session"]
                 merge {:http-only true
                        :secure true
                        :same-site :strict}))))

For Firestore-specific remediation, ensure that security rules validate not only user identity but also limit the scope of mutations to prevent mass assignment or unintended writes. While rules cannot fully prevent CSRF, they can reduce impact by enforcing least privilege and denying writes that lack required fields indicating intent.

Finally, combine these measures with regular scans using tools like middleBrick to detect exposed endpoints and missing CSRF protections. The CLI tool allows you to run middlebrick scan <url> from your terminal to identify potential issues, while the Pro plan’s continuous monitoring can alert you if new risks appear after changes to Chi routes or Firestore rules.