Skip to content

sessionless csrf with origin check, falling back to cookie based hmac token when origin is not present

Notifications You must be signed in to change notification settings

nherment/node-hmac-csrf

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 

Repository files navigation

hmac-csrf

Express middleware

sessionless csrf with

  • HTTP Origin check for modern browsers.
  • Fall back to hmac token
  • Token generated based on the session cookie. Works with hmac signed cookies with a stateless server.
  • ability to exclude routes from the CSRF path.
  • Compatible with templates
    var HmacCsrf = require('hmac-csrf')

    var options = {
      'secret'       : '123456',
      'validityDelay': 86400000,      // the delay after which a CSRF token expires, in ms
      'sessionCookie': 'connect.sid'  // the cookie used in the HMAC generation
      'algorithm'    : 'sha256',      // the HMAC algorithm
      'origin'       : null,          // If the HTTP origin header should be used for CSRF protection, put it here
      'templateAttr' : 'locals',      // the '_csrf' token will be set on res[templateAttr]
      'ignore': [                     // do not run CSRF validation for these paths
        '/foo/bar'
      ],
      'keys': {
        'query'      : '_csrf',
        'body'       : '_csrf',
        'header'     : 'x-csrf-token'
      }
    }

    // set the middleware on express (look at express documentation)
    app.use(HmacCsrf(options))

About

sessionless csrf with origin check, falling back to cookie based hmac token when origin is not present

Resources

Stars

Watchers

Forks

Packages

No packages published