Comments (3)
Thanks for the suggestion! I don't have any experience with what you mean, so no idea how to write docs on it. If you could contribute docs on this subject, it would certainly be welcome!
from csurf.
@dougwilson I got ForbiddenError: invalid csrf token
on server-side.
This is my front-end request headers:
I set X-CSRF-Token
header and withCredentials: true
Here is my server code:
function server() {
const app = express();
const PORT = 3000;
const whitelist = ['http://localhost:4200'];
app.use(
cors({
origin: whitelist,
credentials: true
})
);
app.use(cookieParser('cookie-secret'));
app.use((req, res, next) => {
console.log('cookies: ', req.cookies);
console.log('req.headers: ', req.headers['x-csrf-token']);
next();
});
app.use(csrf({ cookie: true }));
app.get('/', (req, res) => {
res.sendStatus(200);
});
app.get('/csrftoken', (req, res) => {
const csrfToken = req.csrfToken();
console.log('csrfToken: ', csrfToken);
res.json({ csrfToken });
});
app.post('/api/user', (req, res) => {
const user = { name: faker.name.findName(), email: faker.internet.email() };
res.json(user);
});
return app.listen(PORT, () => {
logger.info(`Server is listening on http://localhost:${PORT}`);
});
}
Can you please take a look? thanks.
Here are my code samples:
https://github.com/mrdulin/expressjs-research/tree/master/src/csrf/angular-sample-client
https://github.com/mrdulin/expressjs-research/tree/master/src/csrf/angular-sample-server
from csurf.
I'm also dealing with something similar with angular as frontend. One tool which angular provides is HttpClientXSRF module.
Your imports should look like:
import { BrowserModule } from '@angular/platform-browser';
import { NgModule } from '@angular/core';
import { HttpClientModule } from '@angular/common/http';
import { AppComponent } from './app.component';
@NgModule({
declarations: [AppComponent],
imports: [
BrowserModule,
HttpClientModule,
**HttpClientXsrfModule.withOptions({
cookieName: 'x-csrf-token',
headerName: 'x-csrf-token'
}),**
],
providers: [],
bootstrap: [AppComponent]
})
export class AppModule {}
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- Add credentials warning to documentation HOT 7
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- please document the `signed` config option HOT 4
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- User's CSRF Token is invalid but doesn't look like so HOT 7
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.