| .. | ||
| node_modules | ||
| HISTORY.md | ||
| index.js | ||
| LICENSE | ||
| package.json | ||
| README.md | ||
csurf
Node.js CSRF protection middleware.
Requires either a session middleware or cookie-parser to be initialized first.
Install
$ npm install csurf
API
var csrf = require('csurf')
csrf(options)
This middleware adds a req.csrfToken() function to make a token which should be added to requests which mutate state, within a hidden form field, query-string etc. This token is validated against the visitor's session or csrf cookie.
Options
valuea function accepting the request, returning the token.- The default function checks four possible token locations:
_csrfparameter inreq.bodygenerated by thebody-parsermiddleware._csrfparameter inreq.querygenerated byquery().x-csrf-tokenandx-xsrf-tokenheader fields.
- The default function checks four possible token locations:
cookieset to a truthy value to enable cookie-based instead of session-based csrf secret storage.- If
cookieis an object, these options can be configured, otherwise defaults are used:keythe name of the cookie to use (defaults to_csrf) to store the csrf secret- any other res.cookie options can be set
- If
ignoreMethodsAn array of the methods CSRF token checking will disabled. (default:['GET', 'HEAD', 'OPTIONS'])
req.csrfToken()
Lazy-loads the token associated with the request.
Example
var express = require('express')
var csrf = require('csurf')
var app = express()
app.use(csrf())
// error handler
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
// handle CSRF token errors here
res.status(403)
res.send('session has expired or form tampered with')
})