https://github.com/brokenhandsio/vapor-csrf
Easy CSRF protection for your Vapor websites
https://github.com/brokenhandsio/vapor-csrf
Last synced: 12 months ago
JSON representation
Easy CSRF protection for your Vapor websites
- Host: GitHub
- URL: https://github.com/brokenhandsio/vapor-csrf
- Owner: brokenhandsio
- License: mit
- Created: 2020-09-02T10:08:57.000Z (almost 6 years ago)
- Default Branch: main
- Last Pushed: 2020-09-05T07:35:34.000Z (almost 6 years ago)
- Last Synced: 2025-06-30T02:09:55.613Z (12 months ago)
- Language: Swift
- Size: 37.1 KB
- Stars: 20
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Vapor CSRF
A simple library for protecting POST requests from CSRF (cross-site request forgery) attacks.
## What is CSRF?
In simple terms it's tricking a user into making requests that a web application accepts. Imagine a bank website that has a POST request to transfer money into an account. If a malicious site can force the user to send that POST request (when they're logged in) then an attacker could trick a user into transferring money.
CSRF tokens protect against this by ensuring the POST request is legitimate. The website provides a token to the GET request which it then checks when handling the POST request to ensure it matches.
Modern solutions such as [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) provide a similar protection but aren't supported on all browsers.
## Installation
Add the CSRF library in your dependencies array in **Package.swift**:
```swift
dependencies: [
// ...,
.package(name: "VaporCSRF", url: "https://github.com/brokenhandsio/vapor-csrf.git", from: "1.0.0")
],
```
Also ensure you add it as a dependency to your target:
```swift
targets: [
.target(name: "App", dependencies: [
.product(name: "Vapor", package: "vapor"),
// ...,
"VaporCSRF"]),
// ...
]
```
## Usage
You must be using the `SessionsMiddleware` on all routes you interact with CSRF with. You can enable this globally in **configure.swift** with:
```swift
app.middleware.use(app.sessions.middleware)
```
For more information on sessions, [see the documentation](https://docs.vapor.codes/4.0/sessions/).
### GET routes
In GET routes that could return a POST request you want to protect, store a CSRF token in the session:
```swift
let csrfToken = req.csrf.storeToken()
```
This function returns a token you can then pass to your HTML page. For example, with Leaf this would look like:
```swift
let csrfToken = req.csrf.storeToken()
let context = MyPageContext(csrfToken: csrfToken)
return req.view.render("myPage", context)
```
You then need to return the token when the form is submitted. With Leaf, this would look something like:
```html
```
### POST routes
You can protect your POST routes either with Middleware or manually verifying the token.
#### Middleware
VaporCSRF provides a middleware that checks the token for you. You can apply this to your routes with:
```swift
let csrfTokenPotectedRoutes = app.grouped(CSRFMiddleware())
```
#### Manual Verification
If you want to control when you verify the CSRF token, you can do this manually in your route handler with `try req.csrf.verifyToken()`. E.g.:
```swift
app.post("myForm") { req -> EventLoopFuture in
try req.csrf.verifyToken()
// ...
}
```
### Configuration
By default, VaporCSRF looks for a value with the key `csrfToken` in the POST body. You can change the key with:
```swift
app.csrf.setTokenContentKey("aDifferentKey")
```