{"id":25839282,"url":"https://github.com/kotovalexarian/rocket_csrf","last_synced_at":"2025-10-29T13:07:40.144Z","repository":{"id":40923725,"uuid":"304744514","full_name":"kotovalexarian/rocket_csrf","owner":"kotovalexarian","description":"CSRF (Cross-Site Request Forgery) protection for Rocket web framework","archived":false,"fork":false,"pushed_at":"2024-01-30T17:17:22.000Z","size":77,"stargazers_count":6,"open_issues_count":5,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-16T00:34:47.463Z","etag":null,"topics":["csrf","csrf-protection","rocket","rocket-rs","rust","rust-lang"],"latest_commit_sha":null,"homepage":"https://crates.io/crates/rocket_csrf","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kotovalexarian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-10-16T21:42:15.000Z","updated_at":"2023-10-24T11:44:29.000Z","dependencies_parsed_at":"2023-01-31T08:00:34.509Z","dependency_job_id":null,"html_url":"https://github.com/kotovalexarian/rocket_csrf","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kotovalexarian%2Frocket_csrf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kotovalexarian%2Frocket_csrf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kotovalexarian%2Frocket_csrf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kotovalexarian%2Frocket_csrf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kotovalexarian","download_url":"https://codeload.github.com/kotovalexarian/rocket_csrf/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241097391,"owners_count":19909137,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csrf","csrf-protection","rocket","rocket-rs","rust","rust-lang"],"created_at":"2025-03-01T04:26:18.961Z","updated_at":"2025-10-29T13:07:35.090Z","avatar_url":"https://github.com/kotovalexarian.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"rocket_csrf\n===========\n\nCSRF (Cross-Site Request Forgery) protection for [Rocket](https://rocket.rs)\nweb framework.\n\n\u003e **WARNING!**\n\u003e The implementation is very simple for now and may not be ready for production.\n\nDiscussion about CSRF protection in Rocket is\n[here](https://github.com/SergioBenitez/Rocket/issues/14).\n\n\n\nTable of contents\n-----------------\n\n* [Overview](#rocket_csrf)\n* [Table of contents](#table-of-contents)\n* [Usage](#usage)\n* [TODO](#todo)\n\n\n\nUsage\n-----\n\nAttach [fairing](https://rocket.rs/v0.5-rc/guide/fairings/#fairings) to the Rocket\ninstance:\n\n```rust\n#![feature(decl_macro)]\n\n#[macro_use] extern crate rocket;\n#[macro_use] extern crate serde_derive;\n\nuse rocket_dyn_templates::Template;\n\n#[launch]\nfn rocket() -\u003e _ {\n    rocket::ignite()\n        .attach(rocket_csrf::Fairing::default())\n        .attach(Template::fairing())\n        .mount(\"/\", routes![new, create])\n}\n```\n\nYou also can configure\n[fairing](https://rocket.rs/v0.5-rc/guide/fairings/#fairings):\n\n```rust\n#[launch]\nfn rocket() -\u003e _ {\n    rocket::ignite()\n        .attach(rocket_csrf::Fairing::new(\n            rocket_csrf::CsrfConfig::default()\n                .with_cookie_name(\"foobar\")\n                .with_cookie_len(64)\n                .with_lifetime(time::Duration::days(3)),\n        ))\n        .attach(Template::fairing())\n        .mount(\"/\", routes![new, create])\n}\n```\n\nAdd [guard](https://rocket.rs/v0.5-rc/guide/requests/#request-guards) to any\nrequest where you want to have access to session's CSRF token (e.g. to include\nit in forms) or verify it (e.g. to validate form):\n\n```rust\nuse rocket::form::Form;\nuse rocket::response::Redirect;\nuse rocket_csrf::CsrfToken;\nuse rocket_dyn_templates::Template;\n\n#[get(\"/comments/new\")]\nfn new(csrf_token: CsrfToken) -\u003e Template {\n    // your code\n}\n\n#[post(\"/comments\", data = \"\u003cform\u003e\")]\nfn create(csrf_token: CsrfToken, form: Form\u003cComment\u003e) -\u003e Redirect {\n    // your code\n}\n```\n\nGet CSRF token from\n[guard](https://rocket.rs/v0.5-rc/guide/requests/#request-guards)\nto use it in [templates](https://rocket.rs/v0.5-rc/guide/responses/#templates):\n\n```rust\n#[get(\"/comments/new\")]\nfn new(csrf_token: CsrfToken) -\u003e Template {\n    let authenticity_token: \u0026str = csrf_token.authenticity_token();\n\n    // your code\n}\n```\n\nAdd CSRF token to your HTML forms in\n[templates](https://rocket.rs/v0.5-rc/guide/responses/#templates):\n\n```html\n\u003cform method=\"post\" action=\"/comments\"\u003e\n    \u003cinput type=\"hidden\" name=\"authenticity_token\" value=\"{{ authenticity_token }}\"/\u003e\n    \u003c!-- your fields --\u003e\n\u003c/form\u003e\n```\n\nAdd attribute `authenticity_token` to your\n[forms](https://rocket.rs/v0.5-rc/guide/requests/#forms):\n\n```rust\n#[derive(FromForm)]\nstruct Comment {\n    authenticity_token: String,\n    // your attributes\n}\n```\n\nValidate [forms](https://rocket.rs/v0.5-rc/guide/requests/#forms) to have valid\nauthenticity token:\n\n```rust\n#[post(\"/comments\", data = \"\u003cform\u003e\")]\nfn create(csrf_token: CsrfToken, form: Form\u003cComment\u003e) -\u003e Redirect {\n    if let Err(_) = csrf_token.verify(\u0026form.authenticity_token) {\n        return Redirect::to(uri!(new));\n    }\n\n    // your code\n}\n```\n\nSee the complete code in [minimal example](examples/minimal).\n\n\n\nTODO\n----\n\n* [ ] Add fairing to verify all requests as an option.\n* [ ] Add [data guard](https://api.rocket.rs/v0.5-rc/rocket/data/trait.FromData.html) to verify forms with a guard.\n* [ ] Add helpers to render form field.\n* [ ] Add helpers to add HTML meta tags for Ajax with `X-CSRF-Token` header.\n* [ ] Verify `X-CSRF-Token` header.\n* [ ] Use authenticity token encryption from [Ruby on Rails](https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_controller/metal/request_forgery_protection.rb).\n* [ ] Allow to configure CSRF protection (CSRF token byte length, cookie name, etc.).\n* [ ] Set cookie to expire with session.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkotovalexarian%2Frocket_csrf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkotovalexarian%2Frocket_csrf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkotovalexarian%2Frocket_csrf/lists"}