CSRF Tokens
Logic behind CSRF token creation and verification.
Read Understanding-CSRF for more information on CSRF.
Use this module to create custom CSRF middleware and what not.
API
var csrf = require('csrf-tokens')(options)
var secret = csrf.secret()
var token = csrf.create(secret)
var valid = csrf.verify(secret, token)
Options:
secretLength: 24
- the byte length of the secret keysaltLength: 8
- the string length of the salttokensize: (secret, salt) => token
- a custom token creation function
var secret = csrf.secret()
Create a new secret
of length secretLength
.
You don't have to use this.
var token = csrf.token(secret)
Create a CSRF token based on a secret
.
This is the token you pass to clients.
var valid = csrf.verify(secret, token)
Check whether a CSRF token is valid based on a secret
.
If it's not valid, you should probably throw a 403
error.