Skip to content
/ node-hmac-csrf Public

sessionless csrf with origin check, falling back to cookie based hmac token when origin is not present

8 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nherment/node-hmac-csrf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
hmac-csrf.js
hmac-csrf.js
 
 
package.json
package.json
 
 

Repository files navigation

hmac-csrf

Express middleware

sessionless csrf with

  • HTTP Origin check for modern browsers.
  • Fall back to hmac token
  • Token generated based on the session cookie. Works with hmac signed cookies with a stateless server.
  • ability to exclude routes from the CSRF path.
  • Compatible with templates
    var HmacCsrf = require('hmac-csrf')

    var options = {
      'secret'       : '123456',
      'validityDelay': 86400000,      // the delay after which a CSRF token expires, in ms
      'sessionCookie': 'connect.sid'  // the cookie used in the HMAC generation
      'algorithm'    : 'sha256',      // the HMAC algorithm
      'origin'       : null,          // If the HTTP origin header should be used for CSRF protection, put it here
      'templateAttr' : 'locals',      // the '_csrf' token will be set on res[templateAttr]
      'ignore': [                     // do not run CSRF validation for these paths
        '/foo/bar'
      ],
      'keys': {
        'query'      : '_csrf',
        'body'       : '_csrf',
        'header'     : 'x-csrf-token'
      }
    }

    // set the middleware on express (look at express documentation)
    app.use(HmacCsrf(options))

About

sessionless csrf with origin check, falling back to cookie based hmac token when origin is not present

Resources

Readme
Activity

Stars

8 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages