
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
Simple Anti-CSRF Token implementation for Express applications.
This package only uses Node.js native crypto module and no other dependency. I did my best to follow OWASP CSRF token best practices. Now it's your responsibilty to follow best practices for session management. I do recommend you read this article before anything else.
Disclaimer: This package is still under development, I do NOT recommend using it for production yet.
npm:
npm install csrf-guard
yarn:
yarn add csrf-guard
GitHub:
git clone https://github.com/venomaze/csrf-guard.git
First register the middleware:
const express = require('express');
const session = require('session');
const CSRFGuard = require('csrf-guard');
const app = express();
// DO NOT USE SESSION LIKE THIS!
app.use(
session({
secret: 'secret_key',
})
);
app.use(
new CSRFGuard({
secret: 'secret_key', // Secret key is required
})
);
Then you have access to two getToken and isTokenValid methods from request object.
app.get('/', async (req, res) => {
const token = await req.getToken();
const form = `
<form action="/test" method="POST">
<input type="hidden" name="csrf_token" value="${token}" />
<input type="text" name="username" />
<input type="submit" />
</form>
`;
res.send(form);
});
app.post('/test', (req, res) => {
const isTokenValid = req.isTokenValid();
const message = isTokenValid ? 'The token is valid.' : 'Token is NOT valid.';
res.send(message);
});
We have to options, the first one is Synchronizer Token Pattern and the second one is HMAC Based Token Pattern. You can read more about them here.
To be able to use this method, you have to set synchronizer to true in options object. With this method you have access to forced mode which generates a new token even if there is one already. This is the default method.
Setting up:
app.use(
new CSRFGuard({
secret: 'secret_key',
synchronizer: true,
})
);
Generating token:
const token = await req.getToken(true); // Forced is set to true. This way you'll get a new token per request. (Default to false)
To be able to use this method, you have to set synchronizer to false in options object. With this method you have access to expiryTime option which gives you this possibility to expire tokens even if the session id isn't changed. By default, tokens won't be expired until the session is regenerated.
Setting up:
app.use(
new CSRFGuard({
secret: 'secret_key',
synchronizer: false,
expiryTime: 5000, // Tokens will be expired after 5 seconds
})
);
Generating token:
const token = req.getToken();
FAQs
Simple Anti-CSRF Token implementation for Express applications.
The npm package csrf-guard receives a total of 5 weekly downloads. As such, csrf-guard popularity was classified as not popular.
We found that csrf-guard demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.