{"id":13779981,"url":"https://github.com/koajs/stateless-csrf","last_synced_at":"2025-06-15T17:32:46.905Z","repository":{"id":35749772,"uuid":"40028928","full_name":"koajs/stateless-csrf","owner":"koajs","description":"CSRF without sessions.","archived":false,"fork":false,"pushed_at":"2023-12-03T16:52:02.000Z","size":9,"stargazers_count":17,"open_issues_count":0,"forks_count":2,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-06-12T10:23:02.903Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/koajs.png","metadata":{"files":{"readme":"Readme.md","changelog":"History.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2015-07-31T23:36:09.000Z","updated_at":"2025-01-11T00:26:00.000Z","dependencies_parsed_at":"2022-07-08T01:25:43.806Z","dependency_job_id":"6fee7366-0fbd-4b02-9763-c2f4fa060c0a","html_url":"https://github.com/koajs/stateless-csrf","commit_stats":{"total_commits":8,"total_committers":2,"mean_commits":4.0,"dds":0.125,"last_synced_commit":"f6baef7415489d876da8da66ec8b2f0e16538d9c"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/koajs/stateless-csrf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koajs%2Fstateless-csrf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koajs%2Fstateless-csrf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koajs%2Fstateless-csrf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koajs%2Fstateless-csrf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/koajs","download_url":"https://codeload.github.com/koajs/stateless-csrf/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koajs%2Fstateless-csrf/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260022304,"owners_count":22947131,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T18:01:11.151Z","updated_at":"2025-06-15T17:32:46.884Z","avatar_url":"https://github.com/koajs.png","language":"JavaScript","readme":"\n# stateless-csrf\n\n  CSRF without sessions.\n\n## Installation\n\n    npm install stateless-csrf\n\n## How it works\n\n  This CSRF protection hashes a user's unique cookie against a server-side secret.\n\n  When the request comes in, the server hashes the cookie with the server-side\n  secret and then compares it to the CSRF token. If it matches, verification is complete,\n  otherwise the middleware rejects the request.\n\n  This is a slight variation on the [double submit cookies](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookies) using the advice\n  mentioned in [this comment](http://discourse.codinghorror.com/t/preventing-csrf-and-xsrf-attacks/268/61) in [this blog post](http://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/).\n\n## Usage\n\n```js\nvar csrf = require('stateless-csrf')\n\napp.use(csrf({\n  secret: 'some server secret',\n  cookie: 'name of the cookie to hash against'\n}))\n\napp.use(function * (next) {\n  if ('GET' == this.method) {\n    this.body = this.state.csrf\n  } else if ('POST' == this.method) {\n    this.body = 'protected area';\n  }\n})\n```\n\n## Test\n\n```\nnpm install\nmake test\n```\n\n## Considerations\n\n- **Add a salt**: not sure if this is necessary since the user token is already unique.\n- **Add an expiration**: not sure this is necessary since the cookie has an expiration.\n\n## Disclaimer\n\n  I am not a security expert nor have I done a security audit on this code.\n\n  Use this at your own risk, and if you can think of any ways to make this more secure, let me know!\n\n## License\n\nMIT\n\nCopyright (c) 2015 Matthew Mueller \u0026lt;mattmuelle@gmail.com\u0026gt;\n","funding_links":[],"categories":["Middleware"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoajs%2Fstateless-csrf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkoajs%2Fstateless-csrf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoajs%2Fstateless-csrf/lists"}