Turn CSRF protection on by default (#12377)

.github/workflows/integration-tests.yaml

@@ -27,8 +27,9 @@ jobs:
   compatibility-tests:
     name: "Check compatibility with Prefect ${{ matrix.prefect-version }}"
     timeout-minutes: 10
-
+    runs-on: ubuntu-latest
     strategy:
+      fail-fast: true
       matrix:
         prefect-version:
           # These versions correspond to Prefect image tags, the patch version is
@@ -49,6 +50,7 @@ jobs:
           - "2.13"
           - "2.14"
           - "2.15"
+          - "2.16"
 
           # We can include the following to always test against the last release
           # but the value is not particularly clear and we can just append the
@@ -61,53 +63,61 @@ jobs:
           # incompatibilities are allowed.
 
           # All servers prior to 2.6.0 will not accept 2.6.0+ result types
+          # All servers prior to 2.16.0 will not accept `Deployment.schedules`
+
           - prefect-version: "2.0"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.1"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.2"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.3"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.4"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.5"
             server-incompatible: true
-
-          # All servers prior to 2.16.0 will not accept `Deployment.schedules`
+            server-disable-csrf: true
           - prefect-version: "2.6"
             server-incompatible: true
+            server-disable-csrf: true
+            # 2.6 containers have a bad version of httpcore installed
+            extra_docker_run_options: '--env EXTRA_PIP_PACKAGES="httpcore>=0.16.2"'
           - prefect-version: "2.7"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.8"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.9"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.10"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.11"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.12"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.13"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.14"
             server-incompatible: true
+            server-disable-csrf: true
           - prefect-version: "2.15"
             server-incompatible: true
+            server-disable-csrf: true
+          - prefect-version: "2.16"
+            server-incompatible: false
 
-          # 2.6 containers have a bad version of httpcore installed
-          - prefect-version: "2.6"
-            extra_docker_run_options: '--env EXTRA_PIP_PACKAGES="httpcore>=0.16.2"'
-            server_command: "prefect orion start"
-
-          # 2.6/2.7 require `prefect orion start` instead of prefect server start
-          - prefect-version: "2.7"
-            server_command: "prefect orion start"
-
-      fail-fast: true
-
-    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
@@ -151,6 +161,11 @@ jobs:
           TEST_CLIENT_VERSION=$(python -c 'import prefect; print(prefect.__version__)')
           ./scripts/run-integration-flows.py
 
+      - name: Turn off CSRF protection for older clients.
+        if: ${{ matrix.server-disable-csrf }}
+        run: |
+          echo "PREFECT_SERVER_CSRF_PROTECTION_ENABLED=0" >> $GITHUB_ENV
+
       - name: Start server@dev
         run: |
           # First, we must stop the server container if it exists

src/prefect/settings.py

@@ -1235,7 +1235,7 @@ def default_cloud_ui_url(settings, value):
 API with another tool you will need to configure this there instead.
 """
 
-PREFECT_SERVER_CSRF_PROTECTION_ENABLED = Setting(bool, default=False)
+PREFECT_SERVER_CSRF_PROTECTION_ENABLED = Setting(bool, default=True)
 """
 Controls the activation of CSRF protection for the Prefect server API.
 

src/prefect/testing/fixtures.py

@@ -18,7 +18,12 @@
 from prefect.events.clients import AssertingEventsClient
 from prefect.events.filters import EventFilter
 from prefect.events.worker import EventsWorker
-from prefect.settings import PREFECT_API_URL, get_current_settings, temporary_settings
+from prefect.settings import (
+    PREFECT_API_URL,
+    PREFECT_SERVER_CSRF_PROTECTION_ENABLED,
+    get_current_settings,
+    temporary_settings,
+)
 from prefect.testing.utilities import AsyncMock
 from prefect.utilities.processutils import open_process
 
@@ -118,7 +123,12 @@ def use_hosted_api_server(hosted_api_server):
     """
     Sets `PREFECT_API_URL` to the test session's hosted API endpoint.
     """
-    with temporary_settings({PREFECT_API_URL: hosted_api_server}):
+    with temporary_settings(
+        {
+            PREFECT_API_URL: hosted_api_server,
+            PREFECT_SERVER_CSRF_PROTECTION_ENABLED: False,
+        }
+    ):
         yield hosted_api_server
 
 

tests/conftest.py

@@ -62,6 +62,7 @@
     PREFECT_MEMOIZE_BLOCK_AUTO_REGISTRATION,
     PREFECT_PROFILES_PATH,
     PREFECT_SERVER_ANALYTICS_ENABLED,
+    PREFECT_SERVER_CSRF_PROTECTION_ENABLED,
     PREFECT_UNIT_TEST_MODE,
 )
 from prefect.utilities.dispatch import get_registry_for_type
@@ -510,6 +511,12 @@ def caplog(caplog):
     yield caplog
 
 
+@pytest.fixture(autouse=True)
+def disable_csrf_protection():
+    with temporary_settings({PREFECT_SERVER_CSRF_PROTECTION_ENABLED: False}):
+        yield
+
+
 @pytest.fixture
 def enable_workers():
     with temporary_settings(