electrode-csrf-jwt
Advanced tools
[![NPM version][npm-image]][npm-url] [![Build Status][travis-image]][travis-url] [![Dependency Status][daviddm-image]][daviddm-url]
An electrode plugin that enables stateless CSRF protection using JWT in Electrode, Express, or Hapi applications.
CSRF protection is an important security feature, but in systems which don't have backend session persistence, doing CSRF token validation is tricky. Stateless CSRF support addresses this need.
Double JWT CSRF tokens
We rely on the fact that cross site requests can't set headers.
Two JWT CSRF tokens are generated on the server side with the same payload but different types (see below), one for the HTTP header, one for the cookie.
headerPayload = { type: "header", UUID: "12345" };
cookiePayload = { type: "cookie", UUID: "12345" };
When a client makes a request, the JWT token must be sent in the headers.
On server side, both tokens are received, decoded, and validated to make sure the payloads match.
Disadvantage: relies on client making all request through AJAX.
$ npm install electrode-csrf-jwt
You can use the
--saveoption to updatepackage.json
options:
secret: Required. A string or buffer containing either the secret for HMAC algorithms, or the PEM encoded private key for RSA and ECDSA.Others are optional and follow the same usage as jsonwebtoken
algorithmexpiresInnotBeforeaudiencesubjectissuerjwtidsubjectnoTimestampheadersThis module can be used with either Electrode, Express, or Hapi.
config/default.json configuration{
"plugins": {
"electrode-csrf-jwt": {
"options": {
"secret": "shhhhh",
"expiresIn": 60
}
}
}
}
app.js configurationconst csrfMiddleware = require("electrode-csrf-jwt").expressMiddleware;
const express = require("express");
const app = express();
const options = {
secret: "shhhhh",
expiresIn: 60
};
app.use(csrfMiddleware(options));
server/index.js configurationconst csrfPlugin = require("electrode-csrf-jwt").register;
const Hapi = require("hapi");
const server = new Hapi.Server();
const options = {
secret: "shhhhh",
expiresIn: 60
};
server.register({register: csrfPlugin, options}, (err) => {
if (err) {
throw err;
}
});
Built with :heart: by Team Electrode @WalmartLabs.
FAQs
Stateless Cross-Site Request Forgery (CSRF) protection with JWT
The npm package electrode-csrf-jwt receives a total of 44 weekly downloads. As such, electrode-csrf-jwt popularity was classified as not popular.
We found that electrode-csrf-jwt demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.