Csrf protection

[shamoo53]

Here’s a clean PR description you can use:

---

CSRF Protection

Overview

This PR introduces Cross-Site Request Forgery (CSRF) protection to secure state-changing operations in the backend.

---

Background

The application previously did not implement CSRF protection, leaving state-changing endpoints vulnerable to unauthorized requests triggered from external sites. This update adds a CSRF mitigation layer using token-based validation and secure cookie configuration.

---

Changes Introduced

• Added CSRF middleware to protect state-changing requests
• Implemented CSRF token generation and validation flow
• Configured secure cookie settings for CSRF token storage
• Integrated middleware into application bootstrap (main.ts)

---

Updated Files

• src/main.ts — Integrated CSRF middleware into application pipeline
• src/common/middleware/csrf.middleware.ts — CSRF logic implementation

---

Labels

backend, security, priority-high

---

Acceptance Criteria

• CSRF protection is enabled globally for state-changing routes
• Requests without valid CSRF tokens are rejected
• Cookies are securely configured (HttpOnly / SameSite as applicable)
• No disruption to authenticated API flows

---

Closes #270

[drips-wave]

@shamoo53 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[RUKAYAT-CODER]

KINDLY RESOLVE CONFLICT