Security News
JavaScript Leaders Demand Oracle Release the JavaScript Trademark
In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.
The csurf npm package is a middleware for Node.js that provides Cross-Site Request Forgery (CSRF) protection. It helps secure web applications by ensuring that state-changing requests are made by authenticated users and not by malicious actors.
Basic CSRF Protection
This code demonstrates how to set up basic CSRF protection using the csurf middleware in an Express application. It includes setting up the middleware, generating a CSRF token, and embedding it in a form.
const express = require('express');
const csrf = require('csurf');
const cookieParser = require('cookie-parser');
const app = express();
const csrfProtection = csrf({ cookie: true });
app.use(cookieParser());
app.use(csrfProtection);
app.get('/form', (req, res) => {
res.send(`<form action="/process" method="POST">
<input type="hidden" name="_csrf" value="${req.csrfToken()}">
<button type="submit">Submit</button>
</form>`);
});
app.post('/process', (req, res) => {
res.send('Form processed');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
CSRF Protection with Session Storage
This example shows how to use csurf with session storage for CSRF protection. The session middleware is used to store the CSRF token, which is then embedded in a form and validated upon form submission.
const express = require('express');
const session = require('express-session');
const csrf = require('csurf');
const app = express();
const csrfProtection = csrf();
app.use(session({ secret: 'mySecret', resave: false, saveUninitialized: true }));
app.use(csrfProtection);
app.get('/form', (req, res) => {
res.send(`<form action="/process" method="POST">
<input type="hidden" name="_csrf" value="${req.csrfToken()}">
<button type="submit">Submit</button>
</form>`);
});
app.post('/process', (req, res) => {
res.send('Form processed');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
Helmet is a collection of middleware functions that help secure Express applications by setting various HTTP headers. While it does not provide CSRF protection directly, it offers a range of other security features such as XSS protection, content security policy, and more. It can be used alongside csurf for comprehensive security.
Lusca is another security middleware for Express that provides various security features, including CSRF protection. It is similar to csurf but also includes additional features like XSS protection, HSTS, and CORS. Lusca can be a more comprehensive solution if you need multiple security features in one package.
Node.js CSRF protection middleware.
Requires either a session middleware or cookie-parser to be initialized first.
$ npm install csurf
var csrf = require('csurf')
This middleware adds a req.csrfToken()
function to make a token which should be added to requests which mutate state, within a hidden form field, query-string etc. This token is validated against the visitor's session or csrf cookie.
value
a function accepting the request, returning the token.
_csrf
parameter in req.body
generated by the body-parser
middleware._csrf
parameter in req.query
generated by query()
.x-csrf-token
and x-xsrf-token
header fields.cookie
set to a truthy value to enable cookie-based instead of session-based csrf secret storage.
cookie
is an object, these options can be configured, otherwise defaults are used:
key
the name of the cookie to use (defaults to _csrf
) to store the csrf secretignoreMethods
An array of the methods CSRF token checking will disabled.
(default: ['GET', 'HEAD', 'OPTIONS']
)Lazy-loads the token associated with the request.
var express = require('express')
var csrf = require('csurf')
var app = express()
app.use(csrf())
FAQs
CSRF token middleware
The npm package csurf receives a total of 492,855 weekly downloads. As such, csurf popularity was classified as popular.
We found that csurf demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.
Security News
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
Security News
Floating dependency ranges in npm can introduce instability and security risks into your project by allowing unverified or incompatible versions to be installed automatically, leading to unpredictable behavior and potential conflicts.