Express JS - Cross Site Request Forgery (CSRF)
Easily add CSRF protection to your express js application
Overview
This package is a simple yet effective middleware layer of CSRF protection to your express app. It creates a CSRF cookie for requests with methods GET, HEAD, TRACE and checks the CSRF cookie against a request header for POST, PUT, PATCH, DELETE. See these links for more details on this security implementation:
- https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html
- https://angular.io/guide/security
- https://medium.com/@d.silvas/how-to-implement-csrf-protection-on-a-jwt-based-app-node-csurf-angular-bb90af2a9efd
Installation
This is a Node.js module available through the
npm registry. Installation is done using the
npm install command:
$ npm install express-csrf-protectDemo
const express = require('express');
const expressCsrf = require('express-csrf-protect');
const app = express();
app.use(expressCsrf.enable());
app.get('/', (request, response) => {
return response.json({ message: 'admit one' });
});
app.post('/', (request, response) => {
return response.json({ message: 'admit one' });
});
const PORT = process.env.PORT || 3000;
app.listen(PORT);
console.log(`Listening on port ${PORT}...\n\n`);The middleware can also accept an options object, similar to the csurf package:
const express = require('express');
const expressCsrf = require('express-csrf-protect');
const app = express();
app.use(expressCsrf.enable({
httpOnly: false,
domain: 'some-domain',
path: 'some-path'
}));
const PORT = process.env.PORT || 3000;
app.listen(PORT);
console.log(`Listening on port ${PORT}...\n\n`);