Giter Site home page Giter Site logo

stateless-csrf's Introduction

stateless-csrf

CSRF without sessions.

Installation

npm install stateless-csrf

How it works

This CSRF protection hashes a user's unique cookie against a server-side secret.

When the request comes in, the server hashes the cookie with the server-side secret and then compares it to the CSRF token. If it matches, verification is complete, otherwise the middleware rejects the request.

This is a slight variation on the double submit cookies using the advice mentioned in this comment in this blog post.

Usage

var csrf = require('stateless-csrf')

app.use(csrf({
  secret: 'some server secret',
  cookie: 'name of the cookie to hash against'
}))

app.use(function * (next) {
  if ('GET' == this.method) {
    this.body = this.state.csrf
  } else if ('POST' == this.method) {
    this.body = 'protected area';
  }
})

Test

npm install
make test

Considerations

  • Add a salt: not sure if this is necessary since the user token is already unique.
  • Add an expiration: not sure this is necessary since the cookie has an expiration.

Disclaimer

I am not a security expert nor have I done a security audit on this code.

Use this at your own risk, and if you can think of any ways to make this more secure, let me know!

License

MIT

Copyright (c) 2015 Matthew Mueller <[email protected]>

stateless-csrf's People

Contributors

greenkeeperio-bot avatar matthewmueller avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

isabella232

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.