Giter Site home page Giter Site logo

Comments (9)

billjohnston avatar billjohnston commented on March 28, 2024

πŸ‘

from csurf.

crisward avatar crisward commented on March 28, 2024

For those of you who don't want to fork and create your own npm module, I've found you can achieve the above with code like this.

var csrf  = require('csurf');
var csrfIgnore =['/path/to/ignore/','/another/path/to/ignore/'];
app.use(function(req, res, next){
  if(csrfIgnore.indexOf(req.path)==-1){
    csrf({cookie:true})(req, res, next)
  }else{
    next();
  }
});

Hope that helps someone.

from csurf.

bookercodes avatar bookercodes commented on March 28, 2024

πŸ‘

In addition to @crisward workaround, you can also automatically supply the token to templates:

app.use(function validateToken(req, res, next){
  var ignoredRoutes = ["/register"];
  if(ignoredRoutes.indexOf(req.path) == -1){
    csrf()(req, res, next)
    return;
  }
  next();
});
app.use(function createToken(req, res, next) {
  if (typeof req.csrfToken === "function") {
    res.locals.csrfToken = req.csrfToken();
  }
  next();
});

This is really useful when you have a logout link on every page that you want to secure from cross-site request forgery.

It would be nice to have first class support, though.

from csurf.

bookercodes avatar bookercodes commented on March 28, 2024

I am actually just securing forms that do not need securing at the moment (i.e. ones who do not require the user to be authenticated) just because it is much simpler than the solution above - I imagine the aforementioned code will be hard to reason about in a few weeks (curse of knowledge).

from csurf.

gabeio avatar gabeio commented on March 28, 2024

csrf doesn't have to be for everything the user does... logout can just be a GET request why does it have to be a POST? why is logging a user out so dangerous/large that it needs to be a POST? I am not disagreeing that being able to ignore routes can be beneficial. but as a side note if you attach csrf after the route you need to not have csrf running on top of that works also ie:

app.use('/api',require('./api')); // this will not be csrf verified
app.use(csrf);
app.use('/theRest',require('./another'));

ignoreRoutes would be extra code for the same thing that already works.

from csurf.

gabeio avatar gabeio commented on March 28, 2024

@dougwilson it might be beneficial to have an example of ignoring areas like api's on the README for this module separately from express.

from csurf.

bookercodes avatar bookercodes commented on March 28, 2024

I did not think about that, that is a good solution! Thanks, @gabeio.

csrf doesn't have to be for everything the user does... logout can just be a GET request why does it have to be a POST? why is logging a user out so dangerous/large that it needs to be a POST?

There are numerous reasons why logout should use POST and not a GET. You can read more about that here and here. You can also examine how secure sites implement logout - GitHub, for instance, issues a POST request with a token.

It is also important from a security stand-point depending on the nature of the site.

Imagine an auction site. It would be advantageous for a competing bidder to cause other bidders to be logged out. The delay between being logged out and returning to the auction page might cost the user the auction.

Another example: Imagine a website where a user can only be logged on from one location. An attacker might want to force that user to logout so that he or she can log on (there are numerous ways the attacker could log on).

At the very least, this becomes an inconvenience – it becomes a usability barrier for the user. Imagine an attacker somehow made continuous logout requests from his or her malicious page - so long as the user has the malicious page open in a tab somewhere, every time he or she logged on to the target site, he or she would be instantaneously logged out again… This is one of tens of "attack" vectors. I am sure you can imagine more.

from csurf.

dougwilson avatar dougwilson commented on March 28, 2024

@dougwilson it might be beneficial to have an example of ignoring areas like api's on the README for this module separately from express.

Can you elaborate on this or offer a PR, please :)?

from csurf.

gabeio avatar gabeio commented on March 28, 2024

basically showing the code that I provided here with a guess more of an example... I will create a PR.

from csurf.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.