connect-csrf-lite
Basic CSRF validation middleware for Connect using csrf-lite. The implementation of CSRF token session storage and retrieval is left entirely up to you.
Installation
npm install connect-csrf-lite
Usage
var connect = ;var connectCsrf = ;var utils = ;var app = ;// Middleware to create/retrieve `req.csrfToken`. This example uses cookie sessions.app;app;app;app;
The middleware takes the token set at req.csrfToken
(configurable with the
tokenKey
option) and validates it against x-csrf-token
present in the
body (configurable with the dataKey
option) for all requests that mutate state.
If a CSRF token is not set on the request object, one will be created for you. You will still need to handle the session storage and retrieval for subsequent requests.
csrfInput()
A helper method to create a hidden input with the CSRF token is provided for
use in your forms (available at req.csrfToken
and res.locals.csrfToken
):
form!= csrfInput()input(type="submit")
Constructor Options
;
Pass an object on instantiation with any of the following options:
-
tokenKey
String
The key at which you have attached the csrf token onto thereq
object. Defaults tocsrfToken
. -
dataKey
String
The key on thereq
object where thex-csrf-token
key/value pair can be found. Examples areheaders
,query
, etc. Defaults tobody
.