koa-csrf
Advanced tools
Readme
CSRF tokens for Koa
For versions of Koa <2.x please use
koa-csrf@2.x
npm:
npm install koa-csrf
yarn:
yarn add koa-csrf
Add middleware in Koa app (default options are shown):
const Koa = require('koa');
const bodyParser = require('koa-bodyparser');
const session = require('koa-generic-session');
const convert = require('koa-convert');
const CSRF = require('koa-csrf');
const app = new Koa();
// set the session keys
app.keys = [ 'a', 'b' ];
// add session support
app.use(convert(session()));
// add body parsing
app.use(bodyParser());
// add the CSRF middleware
app.use(new CSRF({
invalidTokenMessage: 'Invalid CSRF token',
invalidTokenStatusCode: 403,
excludedMethods: [ 'GET', 'HEAD', 'OPTIONS' ],
disableQuery: false
}));
// your middleware here (e.g. parse a form submit)
app.use((ctx, next) => {
if (![ 'GET', 'POST' ].includes(ctx.method))
return next();
if (ctx.method === 'GET') {
ctx.body = ctx.csrf;
return;
}
ctx.body = 'OK';
});
app.listen();
Add the CSRF token in your template forms:
Jade Template:
form(action='/register', method='POST')
input(type='hidden', name='_csrf', value=csrf)
input(type='email', name='email', placeholder='Email')
input(type='password', name='password', placeholder='Password')
button(type='submit') Register
EJS Template:
<form action="/register" method="POST">
<input type="hidden" name="_csrf" value="<%= csrf %>" />
<input type="email" name="email" placeholder="Email" />
<input type="password" name="password" placeholder="Password" />
<button type="submit">Register</button>
</form>
invalidTokenMessage (String or Function) - defaults to Invalid CSRF token, but can also be a function that accepts one argument ctx (useful for i18n translation, e.g. using ctx.request.t('some message') via @ladjs/i18ninvalidTokenStatusCode (Number) - defaults to 403excludedMethods (Array) - defaults to [ 'GET', 'HEAD', 'OPTIONS' ]disableQuery (Boolean) - defaults to false| Name | Website |
|---|---|
| Nick Baugh | https://github.com/niftylettuce |
FAQs
CSRF tokens for Koa
The npm package koa-csrf receives a total of 19,860 weekly downloads. As such, koa-csrf popularity was classified as popular.
We found that koa-csrf demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 13 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Ecma TC39 is meeting this week and has moved key ECMAScript proposals forward, advancing Deferred Import Evaluation, Error.isError(), RegExp Escaping, and Promise.try to the next stages.
Security News
Researchers have demonstrated that teams of LLM agents can exploit zero-day vulnerabilities with a 53% success rate, and the costs of using AI to do so are rapidly becoming more affordable than hiring a human penetration tester.
Security News
In an unprecedented surge, May 2024 saw the publication of over 5,000 CVEs, marking a historic milestone in cybersecurity with an average of 164 CVEs per day, nearly double the 2023 daily average.