csrf-monkey

csrf-monkey

Automatically add CSRF headers to all clientside requests

• handles both xhr and fetch
• small footprint, no dependencies
• configurable, testable and restorable

Installation

npm install --save csrf-monkey

Usage

Default behaviour

Put your csrf token in a meta tag in your head like so:

<html>
  <head>
    <meta name='csrf-token' content='value'>
  </head>
  <body></body>
</html>

Then call csrf-monkey. This will patch xhr and window.fetch so that your csrf token is automatically included in all clientside requests

var axios = require('axios')
require('csrf-monkey')()

fetch('/api') // request will include csrf header ('x-csrf-token': value)
axios.get('/api') // request will include csrf header ('x-csrf-token': value)

Options

var csrfMonkey = require('csrf-monkey')
csrfMonkey(header, token)

// you can also pass a custom header to csrf-monkey:
csrfMonkey('my-custom-csrf-header')

// and you can pass your csrf token value directly to csrf-monkey if you don't want to include it as a meta tag:
csrfMonkey(null, 'my-csrf-token')

Restore

var restore = csrfMonkey()
restore() // Restores everything back to how it was

Credits

• Inspired by csrf-xhr