{"id":13412892,"url":"https://github.com/justinas/nosurf","last_synced_at":"2025-05-14T12:12:03.915Z","repository":{"id":10208923,"uuid":"12303687","full_name":"justinas/nosurf","owner":"justinas","description":"CSRF protection middleware for Go.","archived":false,"fork":false,"pushed_at":"2024-04-06T18:01:21.000Z","size":100,"stargazers_count":1634,"open_issues_count":15,"forks_count":127,"subscribers_count":41,"default_branch":"master","last_synced_at":"2025-04-11T04:59:57.881Z","etag":null,"topics":["csrf","go","middleware","security"],"latest_commit_sha":null,"homepage":"http://godoc.org/github.com/justinas/nosurf","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/justinas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-08-22T17:47:34.000Z","updated_at":"2025-04-10T12:28:44.000Z","dependencies_parsed_at":"2024-05-05T03:30:26.788Z","dependency_job_id":"c4d077e9-e801-42fb-8fa4-abcab8be8f31","html_url":"https://github.com/justinas/nosurf","commit_stats":{"total_commits":119,"total_committers":17,"mean_commits":7.0,"dds":"0.18487394957983194","last_synced_commit":"4d86df7a4affa1fa50ab39fb09aac56c3ce9c314"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/justinas%2Fnosurf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/justinas%2Fnosurf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/justinas%2Fnosurf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/justinas%2Fnosurf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/justinas","download_url":"https://codeload.github.com/justinas/nosurf/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254140768,"owners_count":22021220,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csrf","go","middleware","security"],"created_at":"2024-07-30T20:01:30.706Z","updated_at":"2025-05-14T12:12:03.883Z","avatar_url":"https://github.com/justinas.png","language":"Go","funding_links":[],"categories":["Forms","\u003ca id=\"79499aeece9a2a9f64af6f61ee18cbea\"\u003e\u003c/a\u003e浏览嗅探\u0026\u0026流量拦截\u0026\u0026流量分析\u0026\u0026中间人","Web Framework Hardening","\u003ca id=\"42f9e068b6511bcbb47d6b2b273097da\"\u003e\u003c/a\u003e未分类","表单","\u003cspan id=\"表单-forms\"\u003e表单 Forms\u003c/span\u003e","Go","Repositories","Relational Databases","表单`表单解析与绑定`","表單"],"sub_categories":["Search and Analytic Databases","Advanced Console UIs","\u003ca id=\"11c73d3e2f71f3914a3bca35ba90de36\"\u003e\u003c/a\u003e中间人\u0026\u0026MITM","\u003ca id=\"3bd67ee9f322e2c85854991c85ed6da0\"\u003e\u003c/a\u003e投毒\u0026\u0026Poisoning","Middlewares","检索及分析资料库","\u003cspan id=\"高级控制台用户界面-advanced-console-uis\"\u003e高级控制台用户界面 Advanced Console UIs\u003c/span\u003e","高级控制台界面","SQL 查询语句构建库","高級控制台界面"],"readme":"# nosurf\n\n[![Build Status](https://travis-ci.org/justinas/nosurf.svg?branch=master)](https://travis-ci.org/justinas/nosurf)\n[![GoDoc](http://godoc.org/github.com/justinas/nosurf?status.png)](http://godoc.org/github.com/justinas/nosurf)\n\n`nosurf` is an HTTP package for Go\nthat helps you prevent Cross-Site Request Forgery attacks.\nIt acts like a middleware and therefore \nis compatible with basically any Go HTTP application.\n\n### Why?\nEven though CSRF is a prominent vulnerability,\nGo's web-related package infrastructure mostly consists of\nmicro-frameworks that neither do implement CSRF checks,\nnor should they.\n\n`nosurf` solves this problem by providing a `CSRFHandler`\nthat wraps your `http.Handler` and checks for CSRF attacks\non every non-safe (non-GET/HEAD/OPTIONS/TRACE) method.\n\n`nosurf` requires Go 1.1 or later.\n\n### Features\n\n* Supports any `http.Handler` (frameworks, your own handlers, etc.)\nand acts like one itself.\n* Allows exempting specific endpoints from CSRF checks by\nan exact URL, a glob, or a regular expression.\n* Allows specifying your own failure handler. \nWant to present the hacker with an ASCII middle finger\ninstead of the plain old `HTTP 400`? No problem.\n* Uses masked tokens to mitigate the BREACH attack.\n* Has no dependencies outside the Go standard library.\n\n### Example\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"github.com/justinas/nosurf\"\n\t\"html/template\"\n\t\"net/http\"\n)\n\nvar templateString string = `\n\u003c!doctype html\u003e\n\u003chtml\u003e\n\u003cbody\u003e\n{{ if .name }}\n\u003cp\u003eYour name: {{ .name }}\u003c/p\u003e\n{{ end }}\n\u003cform action=\"/\" method=\"POST\"\u003e\n\u003cinput type=\"text\" name=\"name\"\u003e\n\n\u003c!-- Try removing this or changing its value\n     and see what happens --\u003e\n\u003cinput type=\"hidden\" name=\"csrf_token\" value=\"{{ .token }}\"\u003e\n\u003cinput type=\"submit\" value=\"Send\"\u003e\n\u003c/form\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n`\nvar templ = template.Must(template.New(\"t1\").Parse(templateString))\n\nfunc myFunc(w http.ResponseWriter, r *http.Request) {\n\tcontext := make(map[string]string)\n\tcontext[\"token\"] = nosurf.Token(r)\n\tif r.Method == \"POST\" {\n\t\tcontext[\"name\"] = r.FormValue(\"name\")\n\t}\n\t\n\ttempl.Execute(w, context)\n}\n\nfunc main() {\n\tmyHandler := http.HandlerFunc(myFunc)\n\tfmt.Println(\"Listening on http://127.0.0.1:8000/\")\n\thttp.ListenAndServe(\":8000\", nosurf.New(myHandler))\n}\n```\n\n### Manual token verification\nIn some cases the CSRF token may be send through a non standard way,\ne.g. a body or request is a JSON encoded message with one of the fields\nbeing a token.\n\nIn such case the handler(path) should be excluded from an automatic\nverification by using one of the exemption methods:\n\n```go\n\tfunc (h *CSRFHandler) ExemptFunc(fn func(r *http.Request) bool)\n\tfunc (h *CSRFHandler) ExemptGlob(pattern string)\n\tfunc (h *CSRFHandler) ExemptGlobs(patterns ...string)\n\tfunc (h *CSRFHandler) ExemptPath(path string)\n\tfunc (h *CSRFHandler) ExemptPaths(paths ...string)\n\tfunc (h *CSRFHandler) ExemptRegexp(re interface{})\n\tfunc (h *CSRFHandler) ExemptRegexps(res ...interface{})\n```\n\nLater on, the token **must** be verified by manually getting the token from the cookie\nand providing the token sent in body through: `VerifyToken(tkn, tkn2 string) bool`.\n\nExample:\n```go\nfunc HandleJson(w http.ResponseWriter, r *http.Request) {\n\td := struct{\n\t\tX,Y int\n\t\tTkn string\n\t}{}\n\tjson.Unmarshal(ioutil.ReadAll(r.Body), \u0026d)\n\tif !nosurf.VerifyToken(nosurf.Token(r), d.Tkn) {\n\t\thttp.Errorf(w, \"CSRF token incorrect\", http.StatusBadRequest)\n\t\treturn\n\t}\n\t// do smth cool\n}\n```\n\n### Contributing\n\n0. Find an issue that bugs you / open a new one.\n1. Discuss.\n2. Branch off, commit, test.\n3. Make a pull request / attach the commits to the issue.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjustinas%2Fnosurf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjustinas%2Fnosurf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjustinas%2Fnosurf/lists"}