csrf-shield
Advanced tools
csrf-shield - CSRF Protection Middlewarecsrf-shield is a middleware for protecting web applications from Cross-Site Request Forgery (CSRF) attacks. It integrates easily with Express.js and ensures that your forms and requests are secure.
Install csrf-shield via npm or Yarn.
npm install csrf-shield
yarn add csrf-shield
Here’s a step-by-step guide on how to set up csrf-shield in an Express.js application:
Create a basic Express.js application.
Integrate csrf-shield middleware for CSRF protection.
Use the CSRF token in your forms and validate it on the server side.
Below is a complete example of how to use csrf-shield with an Express.js application:
const express = require('express');
const csrfProtection = require('csrf-shield')({
secret: 'your_secret_key', // Optional: Set a custom secret key for encryption
timeout: 1000 * 60 * 10, // Optional: Set token validity period (10 minutes)
});
const bodyParser = require('body-parser');
const app = express();
// Use body-parser middleware to parse form and JSON data
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
// Use CSRF protection middleware
app.use(csrfProtection.middleware);
app.get('/', (req, res) => {
res.send(`
<form method="post" action="/login">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="hidden" name="_csrf" value="${req.csrfToken()}" />
<button type="submit">Login</button>
</form>
`);
});
app.post('/login', csrfProtection.verifyToken(), (req, res) => {
res.send('Logged in');
});
app.listen(3000, () => {
console.log('Server started on http://localhost:3000');
});
secret: (Optional) The secret key used for encrypting and decrypting CSRF tokens. It's recommended to set a custom, secure key. If not provided, a random key will be generated automatically.timeout: (Optional) The validity period of tokens in milliseconds. Default is 10 minutes. Adjust this value according to your application's security needs.To generate CSRF tokens, use the following method:
app.use((req, res, next) => {
req.csrfToken = () => {
const ip = req.headers['cf-connecting-ip'] || req.headers['x-forwarded-for'] || req.ip;
const userAgent = req.headers['user-agent'];
return csrfProtection.generateToken(ip, userAgent);
};
next();
});
Use the verifyToken middleware to verify tokens in your routes:
app.post('/login', csrfProtection.verifyToken(), (req, res) => {
res.send('Logged in');
});
CSRF attacks exploit the trust a web application has in the user's browser. csrf-shield helps prevent these attacks by ensuring that every request with sensitive actions is accompanied by a valid CSRF token.
csrfShield(options)middleware(req, res, next)verifyToken()For issues or contributions, please visit the GitHub repository.
This project is licensed under the MIT License.
FAQs
CSRF protection middleware for Express.js applications.
We found that csrf-shield demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.