server-csrf-check

server-csrf-check

Validate a client-side CSRF token + cookie on a server.

This package makes use of stateless CSRF by requiring every request to have both a cookie + HTTP header set on every request. The server then verifies they are the same which means they're from the right domain. This works because a page can only read / write cookies for its own domain and set the header.

It compares the X-CSRF-token header value with the CSRF_token value in the cookie. Clients should set these values.

This is a first layer of defence that is vulnerable to XSS, but requires a relatively low cost to implement. To also prevent prevent XSS based CSRF consider using per request tokens.

This is also not a replacement for authentication tokens (OAuth or otherwise), this merely prevents tokens from being exploited by malicious agents.

Installation

$ npm install server-csrf-check

Usage

const csrfCheck = require('server-csrf-check')
const http = require('http')

http.createServer(function (req, res) {
  if (!csrfCheck(req, res)) return res.end('CSRF detected')
  res.end('all good')
}).listen()

API

bool = serverCsrfCheck(req, res)

Check an IncomingMessage for the equality of an X-CSRF-token header and CSRF_token on a cookie. Returns a boolean.

See Also

• owasp/csrf
• whitehatsec/session-token
• blog.jdriven/stateless-csrf
• mdn/sessionStorage

License

MIT