Sentinel Security Patch Fixes High-Severity CSRF Header Bypass in Validation Logic

A critical security vulnerability in the Sentinel framework allowed state-changing API requests to bypass Cross-Site Request Forgery protections under specific conditions. The flaw, rated HIGH severity, affected the CSRF validation logic by permitting POST, PUT, DELETE, and PATCH requests to proceed when both Origin and Referer headers were absent, provided the requests targeted a trusted server origin. An attacker could potentially exploit this by crafting requests designed to suppress these header indicators through browser behaviors or misconfiguration scenarios.

The fix modifies the `validateCSRF` function to fail securely when origin indicators are missing, closing the conditional gap that previously allowed unverified requests to pass. Additionally, the patch introduces an explicit exception for requests containing `Authorization` or `x-api-key` headers. These headers are not automatically included in browser-sent requests and are standard in CLI and server-to-server communication, making them inherently resistant to standard CSRF attack vectors. This exception preserves legitimate non-browser traffic flows while maintaining strict validation for web-facing endpoints.

The vulnerability highlights a common tension in API security between accessibility and protection: overly permissive origin validation can create exploitable gaps, while strict enforcement risks breaking valid server-to-server workflows. Security researchers note that CSRF bypasses remain a persistent attack surface, particularly in frameworks handling mixed traffic patterns. Teams deploying Sentinel should prioritize applying this patch to production environments, as the hardening consolidates security-related hashing consistency across the codebase alongside the primary fix.