{"id":50365661,"url":"https://github.com/yoozzeek/actix-csrf-middleware","last_synced_at":"2026-05-30T04:01:47.908Z","repository":{"id":303196790,"uuid":"1014588070","full_name":"yoozzeek/actix-csrf-middleware","owner":"yoozzeek","description":"CSRF protection middleware for Actix Web. Supports double submit cookie and synchronizer token patterns (with actix-session).","archived":false,"fork":false,"pushed_at":"2025-10-14T05:04:09.000Z","size":179,"stargazers_count":4,"open_issues_count":3,"forks_count":2,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-22T20:18:07.972Z","etag":null,"topics":["actix","actix-web","csrf","csrf-protection","middleware","rust","security","web"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yoozzeek.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-06T02:45:48.000Z","updated_at":"2025-11-01T10:38:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"1c391985-94af-4fbd-b3c8-d9192a7f4fc4","html_url":"https://github.com/yoozzeek/actix-csrf-middleware","commit_stats":null,"previous_names":["yoozzeek/actix-csrf-middleware"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/yoozzeek/actix-csrf-middleware","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yoozzeek%2Factix-csrf-middleware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yoozzeek%2Factix-csrf-middleware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yoozzeek%2Factix-csrf-middleware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yoozzeek%2Factix-csrf-middleware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yoozzeek","download_url":"https://codeload.github.com/yoozzeek/actix-csrf-middleware/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yoozzeek%2Factix-csrf-middleware/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33679306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actix","actix-web","csrf","csrf-protection","middleware","rust","security","web"],"created_at":"2026-05-30T04:01:47.285Z","updated_at":"2026-05-30T04:01:47.897Z","avatar_url":"https://github.com/yoozzeek.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# actix-csrf-middleware\n\n[![Crates.io](https://img.shields.io/crates/v/actix-csrf-middleware.svg)](https://crates.io/crates/actix-csrf-middleware)\n[![Docs.rs](https://docs.rs/actix-csrf-middleware/badge.svg)](https://docs.rs/actix-csrf-middleware)\n[![CI](https://github.com/yoozzeek/actix-csrf-middleware/actions/workflows/ci.yml/badge.svg)](https://github.com/yoozzeek/actix-csrf-middleware/actions/workflows/ci.yml)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)\n\nCSRF protection middleware for [Actix Web](https://github.com/actix/actix-web) applications. Supports double submit\ncookie and synchronizer token patterns (with actix-session) out of the box. Flexible, easy to configure, and includes\ntest coverage for common attacks and edge cases.\n\n**WARNING:** This crate has not been audited and may contain bugs and security flaws. This implementation is NOT ready\nfor production use.\n\n## Overview\n\n- Store CSRF tokens as:\n    - Stateless double submit cookie\n    - Synchronizer token in persistent storage via `actix-session`\n- Implemented following\n  the [OWASP CSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n    - CSRF token is a 256-bit cryptographically secure random value\n    - For the double submit cookie pattern, hashes the session/pre-session ID with the CSRF token using HMAC-SHA256\n    - Compares tokens in constant time to prevent timing attacks\n- Protect unauthorized routes with signed, stateless pre-sessions (cookie is always HttpOnly=true, Secure=true,\n  SameSite=Strict)\n- Automatically extract and verify tokens from:\n    - `application/json`\n    - `application/x-www-form-urlencoded`\n- Configurable cookie, header, and form field names\n- Graceful, typed error handling: every rejection is a `CsrfError` rendered by default as\n  `{\"error\":\"\u003ccode\u003e\"}` (JSON, correct status) with stable machine-readable codes. The typed value is stored in\n  the response extensions, so an actix `ErrorHandlers` can recover it and re-render in your own shape (HTML, JSON,\n  problem+json). Internal faults are logged server-side and never leak details to the client.\n- Optional Origin/Referer enforcement for mutating requests (configurable)\n- Helpers for manually extracting and validating CSRF tokens at the handler level are useful for processing\n  `multipart/form-data` requests without expensive body reading in middleware\n- Enabled by default for all mutating (`POST`,`PUT`,`PATCH`,`DELETE`) http requests; supports per-path CSRF exclusion\n  via `skip_for`.\n\n## Quick start\n\nDependencies:\n\n```toml\n[dependencies]\nactix-web = \"4\"\nactix-csrf-middleware = \"0.6\"\n```\n\nCode:\n\n```rust\nuse actix_csrf_middleware::{CsrfMiddleware, CsrfMiddlewareConfig, CsrfToken};\nuse actix_web::{web, App, HttpResponse, HttpServer, Responder};\n\nasync fn form(csrf: CsrfToken) -\u003e impl Responder {\n    HttpResponse::Ok().body(format!(\"csrf token: {}\", csrf.0))\n}\n\nasync fn submit() -\u003e impl Responder {\n    // Runs only after the CSRF token is verified.\n    HttpResponse::Ok().body(\"accepted\")\n}\n\n#[actix_web::main] // or #[tokio::main]\nasync fn main() -\u003e std::io::Result\u003c()\u003e {\n    // \u003e= 32 bytes; load from your config in production.\n    let secret = b\"replace-me-with-a-32+byte-application-secret\";\n\n    HttpServer::new(move || {\n        // Constant secret, so tokens validate across workers.\n        let config = CsrfMiddlewareConfig::double_submit_cookie(secret);\n        App::new()\n            .wrap(CsrfMiddleware::new(config))\n            .route(\"/\", web::get().to(form))\n            .route(\"/submit\", web::post().to(submit))\n    })\n        .bind((\"127.0.0.1\", 8080))?\n        .run()\n        .await\n}\n```\n\n## Examples\n\nMinimal runnable examples are provided in the examples directory:\n\n- Double Submit Cookie: [examples/double-submit-cookie](examples/double-submit-cookie)\n- Synchronizer Token (requires `actix-session`): [examples/synchronizer-token](examples/synchronizer-token)\n- Login/Logout Rotation (Double Submit Cookie + RequestExt\n  rotate): [examples/login-logout-rotation](examples/login-logout-rotation)\n\n## License\n\nThis project is licensed under the MIT License. See [LICENSE](./LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyoozzeek%2Factix-csrf-middleware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyoozzeek%2Factix-csrf-middleware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyoozzeek%2Factix-csrf-middleware/lists"}