csurf with a ignoring routes ability
Node.js CSRF protection middleware fork based on the csurf module.
Requires either a session middleware or cookie-parser to be initialized first.
- If you are setting the "cookie" option to a non-
false
value, then you must use cookie-parser before this module. - Otherwise, you must use a session middleware before this module. For example:
If you have questions on how this module is implemented, please read Understanding CSRF.
Installation
$ npm install csurf-noroutes
API
var csurfNoRoutes =
csurfNoRoutes([options])
Create a middleware for CSRF token creation and validation. This middleware
adds a req.csrfToken()
function to make a token which should be added to
requests which mutate state, within a hidden form field, query-string etc.
This token is validated against the visitor's session or csrf cookie.
Options
The csurf-noroutes
function takes an optional options
object that may contain
any of the csurf legacy keys.
A new option is available
ignoreRoutes
an array of routes that you want the module to ignore when looking up for a valid CSRF (typically routes used by the POST method). This parameter supports the use of regular expressions to define url patterns.
With Strings :
ignoreRoutes:'/my/first/route''/mySecond/route''etc..'
With a Regex :
ignoreRoutes:/\/remoteCalls\//g
Both :
ignoreRoutes:'/remoteCalls/login'/\/remoteCalls\//g