csurf | CSRF token middleware | Runtime Evironment library
kandi X-RAY | csurf Summary
kandi X-RAY | csurf Summary
Node.js CSRF protection middleware. Requires either a session middleware or cookie-parser to be initialized first. If you have questions on how this module is implemented, please read Understanding CSRF.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Default value validation for CSRF response .
csurf Key Features
csurf Examples and Code Snippets
// itemId can also be Guid
public async Task OnPostMyAction(long itemId, bool isEnabled)
{
await mRepository.EnableItem(itemId, isEnabled);
return new OkResult();
}
function requestMyAction(itemId, isCheck
response.Headers.TryGetValues("Set-Cookie", out IEnumerable values)
public class AntiForgeryToken
{
public string XsrfToken { get; set; }
public string[] Cookies { get; set; }
}
pro
@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
@{
string antiForgeryToken = Xsrf.GetAndStoreTokens(Context).RequestToken;
}
...
Transformers: allow performing transforms on data before request is made or after response is received
Interceptors: allow you to alter the request or response entirely (headers as well). also perform async operations before request is mad
...
// `xsrfCookieName` is the name of the cookie to use as a value for xsrf token
xsrfCookieName: 'XSRF-TOKEN', // default
// `xsrfHeaderName` is the name of the http header that carries the xsrf token value
xsrfHeaderName: 'X-XSRF-TOKEN
HttpClientModule,
HttpClientXsrfModule.withOptions()
const csrf = require('csurf');
app.use(bodyParser.urlencoded({
extended: false
}));
// then add cookie parser and csrf config
app.use(cookieParser());
app.use(
Community Discussions
Trending Discussions on csurf
QUESTION
Everything worked for me until I added csrf. I use in public/js/editor.js fetch to send the image file to the server:
...ANSWER
Answered 2022-Apr-11 at 12:47QUESTION
I use express js and firebase for user authorization. After registration, the user enters the profile.
How do I get the current account on the profile page and get its data? So that even after updating the page, you don't lose the current user?
I've read about onAuthStateChanged, but I don't understand how to use it in my code. (I wanted to in my profile.write js, but I don't understand how). Or get a token from cookies and receive it? Can I have an example?
server.js
...ANSWER
Answered 2022-Apr-02 at 20:21Firebase automatically persists the current user's credentials when they sign in, and tries to restore those credentials when the page/app is reloaded. To detect when that restore has completed, or other state changes, you'll want to use a so-called onAuthStateChanged
listener as shown in the documentation on getting the currently signed-in user. From there:
QUESTION
I have a REST API that I have built with Firebase Cloud Functions. No matter what I try, I can't get any of the endpoints to serve from the CDN cache.
A few pertinent details:
- I am using the csurf middleware.
- I have set (on select endpoints) a cache control header value of
private, max-age=3600, s-maxage=86400
- While the client application requires the user to be authenticated, the requests to the above-referenced endpoints omit any cookies and authentication-related data by setting the options of a typical fetch request like so:
ANSWER
Answered 2022-Mar-22 at 21:20Firebase doesn't seem to allow you to subtract items from it - only to add more to it.
This is security by design:
Note that Hosting adds Cookie and Authorization to the Vary header by default when a request is made for dynamic content. This ensures that any session or cookie authorization header you use is made part of the cache key, which prevents accidental leaks of content.
My guess is you'd have to make the clients (or downstream servers) not send the Cookie
header.
You could do that by moving the public parts to another path or domain. But maybe there is also a Firebase Option to tick somewhere, marking the content static instead of dynamic.
QUESTION
Not a duplicate of this one
I want to know what are the minimum headers/cookies needed to set in order to test an api that uses csurf csrf protection.
In my server I have:
...ANSWER
Answered 2022-Jan-23 at 16:54According to the documentation, the token is expected to be in a header named CSRF-Token
.
QUESTION
I have set up the csurf
node module to add CSRF protection to my ExpressJS application. The frontend is a ReactJS single page application. The problem is that I'm constantly getting this error with every POST request: ForbiddenError: invalid csrf token
. I found out that the CSRF token somehow changes in between requests and doesn't persist. How can I resolve this issue? Here's my Express server code:
ANSWER
Answered 2022-Jan-17 at 14:49I figured it out. It's because my browser and server weren't sending cookies. Here's what I did to fix it:
Client
- Add the
withCredentials: true
option to my instance of axios:
QUESTION
I read all similar questions in stackoverflow, I checked issues in csurf
github page but I could not figure out the issue. This is the express middlewares file:
ANSWER
Answered 2021-Jun-01 at 06:18You do not seem to have a proper body parser set up for the encoding type you're using for your form - ie the default x-www-form-urlencoded
.
Express provides such a body parser, just add it to your middleware stack like this:
QUESTION
I am using csurf as recommended in my Express application to guard against cross sites forgeries. I have registered it globally(illustrated with code below) and so far so good.
Now, I have added multer.js to be able to upload images and as their documentation recommends it, it's more secure to attach multer to each express route where you intend to use.
Now when I do attach multer to my upload routes, I am faced with a 'ForbiddenError: invalid csrf token' and I really don't know why, as my view I am submitting the form from, as a csrf token attached to it.
Below is my code and I would really appreciated any help/suggestions. Thank you all
app.js ...ANSWER
Answered 2021-May-11 at 20:07I'm guessing the problem is that when you are uploading a file, the content type of the request becomes multipart/form-data
, and you cannot simply pass the csrf token to Express in the body anymore.
The API allows to pass it in the URL though. Try passing the token in the _csrf
parameter, that I think should solve your issue. So simply post the form to .../?_csrf={your_token}
. Note though that this is slightly less secure than passing your csrf token in the request body, and might be flagged as a potential vulnerability in later penetration tests if you ever have one.
Alternatively, for a little more security, you can also pass it as a request header, but that might be a little trickier on the client side. According to the docs, Express will take the token from the following:
QUESTION
Hi i am trying to acieve CSRF protection in react js and express js application. The express api is working properly with postman, when i attach _csrf : token with the req.body then it works otherwise it throw invalid csrf token. thats perfect.But when i call the api from the react app using axios its working without the csrf token ,please help. thanks
Here is the code for express: ...ANSWER
Answered 2021-Apr-28 at 05:19X-XSRF-TOKEN is automatically set and sent in the request headers by Axios in my react app that's why when I did not set the _csrf token it still works. But in postman, it doesn't work that way that's why I need to add the _csrf token manually in the body.
QUESTION
I have problems with setting up csrf. I hope that someone can point me in the right direction.
I'm using next.js with express.js.
When I refresh the page following happens:
- I get a _csurf cookie (dev tools > application > cookies)
- a csrf token is logged in my console (-> see last code snipped from context)
- when I make a POST request (-> see routes/index.js f.ex. "/aignupQ"), I get the error "Invalid csurf token"; in the request header I can see the _csrf cookie
- when I refresh the page and make the POST request again everything works.
I'm really confused by the error and really don't understand what is wrong. Here is some relevant code:
server.js:
...ANSWER
Answered 2021-Jan-26 at 15:08I also found your api path might be wrong. In your axios is await axios.get('csrfToken')
. But, I saw /api/csrfToken
in your router. Change it to await axios.get('/api/csrfToken')
In csurf package, when you use csurf({cookie: true})
with cookie mode in middleware at multiple times, it'll break the csrf token in response header with first time post. You could take a look for more detail in CSRF doesn't work on the first post attempt, I've explain the reason in that post. So, there are two solutions you could use.
According to the comments, you use app.use(csruf({cookie: true}))
in server.js
and router/index.js
. Remove the following line in your router/index.js
. When you setup csruf in server.js
, you could use req.csrfToken()
in controllers/csrf.js
without setting up csruf again.
QUESTION
I'm trying to put my nestjs api into Google App Engine but I still have an error. I have created my google cloud project first with the google sdk, edited my code as follow:
main.ts:
...ANSWER
Answered 2021-Apr-15 at 23:22Take a look on this other post:
It seems you need to install and use npm as:
@nestjs/cli
instead of just nest
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install csurf
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page