Thorium Framework is a modern microservices framework built on top of Armeria, Scala 3 and Java 17.
Thorium now supports a narrowly scoped CSRF bypass for an already-implemented pre-auth verification endpoint.
The feature is:
- disabled by default,
- fail-closed,
- exact-path scoped,
- exact-method scoped,
- intended only for pre-auth verification requests,
- designed so all other CSRF behavior remains unchanged.
The configuration entry point is:
app.http.csrf.preAuthVerificationBypass {
enabled = false
allowPaths = []
allowMethods = ["POST"]
requiredContentTypes = []
requiredHeaders = []
}If requiredHeaders is configured, Thorium treats those headers as supplemental presence checks before allowing the CSRF bypass. For example:
X-Verify-Channelcan identify which verification flow or caller path the request belongs to.X-Correlation-Idcan carry a trace identifier for log correlation across systems.
These headers improve request shaping and observability, but they are not authentication or authorization signals by themselves.
For detailed design, implementation, and configuration guidance, see:
docs/CSRF_PreAuth_Verification_Design.mddocs/CSRF_PreAuth_Verification_Implementation_Plan.mddocs/CSRF_PreAuth_Verification_Configuration_Guide.md
For more information, visit our official website.