Comments (9)
π
from csurf.
For those of you who don't want to fork and create your own npm module, I've found you can achieve the above with code like this.
var csrf = require('csurf');
var csrfIgnore =['/path/to/ignore/','/another/path/to/ignore/'];
app.use(function(req, res, next){
if(csrfIgnore.indexOf(req.path)==-1){
csrf({cookie:true})(req, res, next)
}else{
next();
}
});
Hope that helps someone.
from csurf.
π
In addition to @crisward workaround, you can also automatically supply the token to templates:
app.use(function validateToken(req, res, next){
var ignoredRoutes = ["/register"];
if(ignoredRoutes.indexOf(req.path) == -1){
csrf()(req, res, next)
return;
}
next();
});
app.use(function createToken(req, res, next) {
if (typeof req.csrfToken === "function") {
res.locals.csrfToken = req.csrfToken();
}
next();
});
This is really useful when you have a logout link on every page that you want to secure from cross-site request forgery.
It would be nice to have first class support, though.
from csurf.
I am actually just securing forms that do not need securing at the moment (i.e. ones who do not require the user to be authenticated) just because it is much simpler than the solution above - I imagine the aforementioned code will be hard to reason about in a few weeks (curse of knowledge).
from csurf.
csrf doesn't have to be for everything the user does... logout can just be a GET request why does it have to be a POST? why is logging a user out so dangerous/large that it needs to be a POST? I am not disagreeing that being able to ignore routes can be beneficial. but as a side note if you attach csrf after the route you need to not have csrf running on top of that works also ie:
app.use('/api',require('./api')); // this will not be csrf verified
app.use(csrf);
app.use('/theRest',require('./another'));
ignoreRoutes would be extra code for the same thing that already works.
from csurf.
@dougwilson it might be beneficial to have an example of ignoring areas like api's on the README for this module separately from express.
from csurf.
I did not think about that, that is a good solution! Thanks, @gabeio.
csrf doesn't have to be for everything the user does... logout can just be a GET request why does it have to be a POST? why is logging a user out so dangerous/large that it needs to be a POST?
There are numerous reasons why logout should use POST and not a GET. You can read more about that here and here. You can also examine how secure sites implement logout - GitHub, for instance, issues a POST request with a token.
It is also important from a security stand-point depending on the nature of the site.
Imagine an auction site. It would be advantageous for a competing bidder to cause other bidders to be logged out. The delay between being logged out and returning to the auction page might cost the user the auction.
Another example: Imagine a website where a user can only be logged on from one location. An attacker might want to force that user to logout so that he or she can log on (there are numerous ways the attacker could log on).
At the very least, this becomes an inconvenience β it becomes a usability barrier for the user. Imagine an attacker somehow made continuous logout requests from his or her malicious page - so long as the user has the malicious page open in a tab somewhere, every time he or she logged on to the target site, he or she would be instantaneously logged out againβ¦ This is one of tens of "attack" vectors. I am sure you can imagine more.
from csurf.
@dougwilson it might be beneficial to have an example of ignoring areas like api's on the README for this module separately from express.
Can you elaborate on this or offer a PR, please :)?
from csurf.
basically showing the code that I provided here with a guess more of an example... I will create a PR.
from csurf.
Related Issues (20)
- Feature add 'Encrypted Token Pattern' HOT 3
- Add credentials warning to documentation HOT 7
- A way of getting csrfToken through POST request HOT 3
- Cannot validate CSRF token using the example code HOT 4
- Can docs clarify how cookie mode works? HOT 3
- please document the `signed` config option HOT 4
- Disable CSRF checking during tests HOT 1
- previous token still valid HOT 1
- Token Lifetime HOT 2
- Need docs and examples for working with single page application. HOT 3
- BREACH attack mitigation HOT 2
- No regeneration of secret when a valid token is submitted HOT 2
- A cookie secret is not really secret HOT 1
- Upgrade to [email protected] for SameSite=None support HOT 1
- Best practice for the csrf token and secret (signed? httponly?) HOT 1
- User's CSRF Token is invalid but doesn't look like so HOT 7
- New token secret with every request HOT 3
- Update docs to address situations with mixed protection approaches HOT 1
- How I can validate csrf token one time with only a request
- Failed on validation when using with 2 backends
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csurf.