Anti-XSRF middleware
This XSRF prevention middleware:
- stores XSRF secret in Redis-backed session
- exposes a token on
res.locals
variablexsrfToken
- exposes a token via cookie
- validates incoming token if not ignored
Note: this middleware requires alt-session to be installed beforehand.
You can provide custom ignore function via options:
options { return true; // Ignore all requests}
You can provide custom token source getter
(by default it takes X-XSRF-TOKEN
header value to ensure
compatibility with Angular):
options { return req;}