Comments (6)
Firstly, if you are only accessing a route server-side, CSRF protection is not necessary, as it is a client/browser vulnerability. However if the route is also accessed by a browser, here's how to make it work
In Crumb's default mode, when POSTing a JSON payload include the crumb as {"crumb": "crumbValue"}
and the header cookie: crumb=crumbValue
See https://github.com/hapijs/crumb/blob/master/test/index.js#L106 for example
You can also set the crumb plugin option restful: true
and then send the crumb along in a HTTP header called X-CSRF-Token
along with the cookie
header
Additionally the Crumb plugin options has a skip
property which allows you to provide a function to skip Crumb validation, which would be an option as well.
Let me know if you need any further assistance
from crumb.
Thanks, I have tried the crumb's default mode, it works as anticipated.
If I were to set restful: true
will the server still be able protect against
the POSTs which are not API calls?
Or is it possible to set restful: true
for a API connection and leave default for the other?
from crumb.
the form submissions would require some processing to add the X-CSRF-Token header when restful: true
- a raw post from browser would fail
as far as I know, restful
has to be true or false.
you might be better off on using the skip
option for such things
from crumb.
@stongo crumb works like a charm, I have tried few things and I found the easier way is to register crumb a particular connection, say www server
with its options and register crumb for api server
with restful
options.
Do you know issues that could create?.
from crumb.
@rutaihwa that's brilliant! I would say you are all good with that setup
from crumb.
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
from crumb.
Related Issues (20)
- How does the check between the cookie and the header actually work? HOT 5
- Publish version 7.2.0 to npm HOT 6
- Getting a deprecation warning when installing HOT 2
- cookie not being parsed into request.headers instead still in request.state.crumb HOT 2
- unable to implement crumb for csrf protection in application with api's developed using hapi and front end developed using angular HOT 3
- Suggest to secure cookie by default in documentation HOT 3
- Change module namespace HOT 1
- Action required: Greenkeeper could not be activated 🚨 HOT 1
- Update deps HOT 1
- Update joi HOT 1
- Per-Request VS Per-Session option? HOT 4
- support legacy cookies for samesite policy in iframe HOT 1
- Only node 12
- Change plugin name to @hapi/crubm
- Drop hapi v17 and v18
- isSecure settings are not working HOT 1
- Plugin strips security headers HOT 3
- Unable to add crumb token to payload with h2o2 proxy HOT 3
- HMAC based token pattern
- PUT / DELETE requests don't do crumb validation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crumb.