Add CSRF checks to preferences.

handlers/preferences.go

@@ -19,6 +19,11 @@ func PreferencesHandler(app *App) http.HandlerFunc {
 
 		// Handle POST request (saving preferences)
 		if r.Method == http.MethodPost {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			// Get form values
 			autoSaveDrafts := r.FormValue("auto_save_drafts") == "on"
 
@@ -70,6 +75,7 @@ func PreferencesHandler(app *App) http.HandlerFunc {
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
 				ContentTemplate:  "preferences-content",
+				CSRFToken:        app.csrfToken(session),
 			},
 			Preferences: prefs,
 			ShowSuccess: showSuccess,

templates/pages/preferences.html

@@ -11,6 +11,7 @@
 {{end}}
 <section>
     <form method="post" action="{{.BasePath}}/preferences/">
+        <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
         <h3>Draft Auto-Save</h3>
         <label for="auto_save_drafts" style="display: flex; align-items: center; gap: 0.5em; cursor: pointer;">
             <input type="checkbox" id="auto_save_drafts" name="auto_save_drafts" {{if .Preferences.AutoSaveDrafts}}checked{{end}}>